Information Technology

Open Source

For most Linux desktop users who want a ready-to-run Linux laptop, I recommend the latest high-end Dell XPS 13. I can also suggest System76 or ZaReason PCs or laptops for those who want top-of-the-line Linux hardware. But if privacy, security, and free software are at the top of your “Want” list, then you should check out Purism, maker of free software and Linux-powered laptops, and its next-generation Librem 14 laptop.
This newest model, which is scheduled to ship in early Q4 2020, comes with the following hardware:
Screen: 14-inch matte 1920×1080
CPU: Intel Core i7 10710U, 6 cores and 12 threads
RAM: up to 64GB
GPU: Intel UHD Graphics
Network: Wi-Fi and Gigabit ethernet card with built-in RJ45 connector 
Storage: 2 x NVMe-capable M.2 slots
External Monitor Support for two displays via HDMI and USB-C
Power:  USB-C power delivery besides a standard barrel connector
It’s default low-end configuration with 8GB of RAM and a 250GB drive is available for pre-order now with an “early bird” base price of $1199. Later, the same model will, it appears, sell for $1,499.
But you’re not buying a Purism laptop for its price or hardware specs as you might any other computer. You’re buying it because it puts security and free software first. It starts with PureBoot.
This disables part of the Intel Management Engine, so only the essential code for your PC to boot is left. For the BIOS firmware, it uses Coreboot, a free software BIOS replacement. 

The laptop, and other Purism hardware, also comes with a Trusted Platform Module (TPM) chip. This is used by Heads, Purism’s tamper-evident boot software that loads from within Coreboot and uses the TPM and the user’s own GPG keys to detect tampering within the BIOS, kernel, and GRUB config. You can use this with the company’s two-factor authentication Librem Key, a USB security token. This works with Heads to alert the user to tampering with an easy “green light good, red light bad” alert.
Heads is an open-source computer firmware and configuration tool that aims to provide better physical security and data protection. It’s built on Trammel Hudson’s Heads security firmware. This firmware combines physical hardening of hardware platforms and flash security features with custom Coreboot firmware and a Linux boot loader in ROM.
While still not a complete replacement for proprietary AMD or Intel firmware blobs, Heads — by controlling a system from the first instruction the CPU executes to full boot up — enables you to track steps of the boot firmware and configuration.
Once the system is in a known good state, the TPM acts as a hardware key to decrypt your LUKS encrypted drive. Additionally, the Xen hypervisor, Linux kernel, and initial ramdisk (initrd) images are signed by user-controlled keys. 
Purism’s Debian Linux-based PureOS uses a signed, immutable root filesystem. With this, software exploits that attempt to gain persistence should be detected. While these improvements can’t secure your laptop against every possible attack vector, they harden it against several known classes of boot process attacks.
PureOS is one of the few GNU/Linux distributions to be endorsed by the Free Software Foundation (FSF). PureOS earned this, according to Donald Robertson, FSF Licensing and Compliance Manager. “An operating system like PureOS is a giant collection of software, much of which in the course of use encourages installation of even more software like plugins and extensions. Issues are inevitable, but the team behind PureOS worked incredibly hard to fix everything we identified.”
This Linux distro uses the GNOME desktop. Currently, PureOS uses the Firefox Extended Support Release (ESR) as its default web browser on PureOS 9 Amber. But the company is moving to the GNOME Epiphany web browser in its next release, PureOS 10 Byzantium. With both, Purism edits the programs to make them more free-software friendly and more secure. 
To help lock down its applications, PureOS comes with some programs secured with AppArmor. This, like SELinux, is a Linux security system. It binds access to programs rather than to users via Linux kernel loaded profiles. Purism also uses the Flatpak packing system for extra security. Flatpak installed programs, like Snap, run in containers, so they can’t interfere with each other. 
Last, but not least, Purism comes with hardware kill switches to physically disconnect the camera and mic and/or Wi-Fi and Bluetooth to keep snoopers away.
For those who are truly paranoid, you can use Purism’s anti-interdiction services for added security in transit to verify your new laptop has not been tampered with during shipment.
Todd Weaver, Purism’s CEO and founder, said: “I am beyond excited to see the Librem laptop journey arrive at the build quality and specifications in the Librem 14. This fifth version of our line is the culmination of our dream device rolled into a powerful professional laptop. We have invested heavily so every customer will be proud to carry our laptops, and the Librem 14 will be the best one yet.”  
I’ve been using Purism’s Librem 15 myself over the last few months. This system, which comes with a 3.50GHz Core i7 Kaby Lake Processor, 8GB of RAM, and a 256GB SSD, has worked well for me. I’m sure that, for any user whose top requirements are security and free software, the new Librem 14 will make you happy, too.
Related Stories: More

Image: Google
Google will block anonymous users from joining Google Meet video conferences organized by educational institutions, such as schools colleges, and universities.
The new security feature, announced earlier today, will prevent users who are not signed into a Google account from joining and then disrupting a Google Meet conference organized by an educational organization.
Since the onset of the coronavirus (COVID-19) pandemic, many schools have been forced to hold classes online, on video conferencing platforms, and have been often interrupted by pranksters.
In many cases, attending students share links to their online classroom (video conference) on Discord channels, Reddit, or Twitter, and ask pranksters to crash their class so they can leave earlier.

Image: ZDNet
This type of behavior is commonly referred to as “zoombombing,” where anonymous users connect to video conferences to disrupt meetings by playing loud sounds or pornographic videos, or hurling insults and making death threats.

The name is derived from the Zoom video conferencing software but the term is now generally used to refer to similar user behavior on all types of video conferencing platforms, not just Zoom — the platform where it was initially spotted.
In other cases, zoombombers have gone even farther than interrupting classes and have also disrupted local and federal government meetings across the US.
These constant disruptions to local meetings eventually forced the Department of Justice in April to go public with a press release threatening to prosecute zoombombers.
Zoom rolled out multiple features to protect meetings against zoombombing disruptions earlier this spring but Google has lagged behind, despite having a large market share in the educational sector, where it offers Google Meet under G Suite for Education and G Suite Enterprise for Education licenses at discounted prices.
But in a G Suite changelog entry today, Google said it’s now enabling a new feature that will block anonymous users from joining Google Meet conferences organized by educational organizations.
The feature will be turned on by default for all organizations with a G Suite for Education and G Suite Enterprise for Education license over the next 15 days.
Google said there’s no way the feature can be disabled unless administrators personally contact Google to have it disabled, in the event they don’t need the protection. More

Remote workers can learn how to keep themselves – and their organisation – secure from cyber attacks with the aid of a new set of free tools and roleplay exercises from the National Cyber Security Centre.
The ‘Home and Remote Working’ exercise has been added to the NCSC’s Exercise in a Box, a toolkit designed to help small and medium-sized businesses prepare to defend against cyber attacks by testing employees with scenarios based around real hacking incidents – and lessons on how to respond.
Designed by the NCSC – the part of GCHQ with the role of keeping the UK safe from cyber attacks – the latest toolkit reflects the rise in remote working over the course of 2020 as a result of the coronavirus pandemic imposed lockdown; and how hackers have looked to take advantage.
The exercises focus on how staff members can safely access networks, what services might be needed for secure employee collaboration, and what processes are in place to manage a cyber incident remotely.
As part of the exercises – which are available to download for free – employees are provided information about processes and knowledge about boosting cyber security and are tested on what they learned.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“We know that businesses want to do all they can to keep themselves and their staff safe while home working continues, and using Exercise in a Box is an excellent way to do that. While cyber security can feel daunting, it doesn’t have to be, and the feedback we have had from our exercises is that they’re fun as well as informative,” said Sarah Lyons, NCSC deputy director for economy and society engagement.
“I would urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks,” she added.
Launched last year, the Home and Remote Working toolkit is the tenth series of scenarios to help organisations prepare their employees for an attack by hackers. Other exercises include scenarios based around real ransomware attacks, losing devices and a cyber attack simulator which imitates hackers targeting the organisation to test the response.
According to the NCSC, more exercises will be added soon, allowing businesses to help protect against a wider range of attacks and incidents.
The NCSC has previously published guidance on boosting the cybersecurity of employees who are working from home. The advice includes ensuring that access to systems is secured by strong passwords and, if available, two-factor authentication.
READ MORE ON CYBERSECURITY More

The Abode Smart Security Kit
Abode is a great name for a home security system. Unfortunately, for someone who has been working and writing about Adobe products for decades, it is also hard on muscle memory. So before we dig in, let’s be clear:

Abode: A place of residence. Also, the name of a new smart home security system.
Adobe: A building material and type of home built with that material. Also, the name of a maker of mission-critical creative applications like Photoshop.
It makes my brain hurt. And… it gets more confusing.
Abode makes two very similar products, the Iota Security Kit and the Smart Security Kit. Both kits are smart, in that they integrate with your smart home devices. The difference is the Smart Security Kit comes with a hub and connects to your router over Ethernet, while the Iota Security Kit connects over Wi-Fi and has a built-in camera.
Both connect to a wide variety of sensors and add-on devices and — most interestingly — both talk with all your other connected Google Home, Alexa, and HomeKit devices. Heck, these things even work by design with IFTTT.
The use case for the $229 all-in-one Iota seems best for a small apartment. You put one of these in your main room, set it, and forget it. The Smart Security Kit seems more appropriate for a larger installation, like a house. I’ll be reviewing the $199 Smart Security Kit, which the folks at Abode were kind enough to supply to me for this review.
The Smart Security Kit

Don’t expect to spend only $199 if you choose the Smart Security Kit. That’s your table stakes. The kit comes with the Gateway device, a motion sensor, and exactly one window sensor. It comes with a key fob you can use for activation, although you can also use the Abode app or an add-on keypad.
The company offers a wide variety of add-on sensors, both in format and function. There are regular and wide-angle motion sensors, various form-factor door and window sensors, an external camera, and a multi-sensor that also tracks heat and humidity. Most of the basic sensors are in the 30 dollar range.
The average house has eight windows and two doors, so expect to add roughly another $210 to that $199 to fully protect your home.
One nice feature of the gateway is that it also includes a 93db siren, which can be triggered in the event of an emergency or break-in. Abode also offers add-on sirens. The indoor siren is $50 and the outdoor siren is $90.
What security systems used to be like
It used to be that, if you wanted a security system, you had turn to a service like ADT, or figure out how to configure your own setup — which was a non-trivial effort. Most security systems were so complex that an entire industry of installers was needed to not only physically place the devices, but also to program them using keypad codes.
I programmed my last security system, which was one of these old-school devices, but it was far from straightforward. I spent quite a few hours on the phone with the alarm company configuring all the special codes and sequences that would get our alarm up and running.
By contrast, configuring the Abode gateway was a breeze. Once you install the Abode app, all you need to do is select the Gateway and run through some simple, very app-like configuration steps. It took just a few minutes and is one of the more compelling selling points of the Abode.
Abode automations
Abode’s automation capabilities are the really big win with this product. Unfortunately, to use them to their fullest, you need to subscribe to the Abode monitoring service. At $6 per month, it’s not a huge sacrifice — and that gets you a lot of additional options, including notification of emergency services in case of emergency.
But let’s talk about the automations. These work like email filters. When an event happens, they perform an action, but only if a given specified condition is true. This takes the Abode system well out of the realm of just an alarm system and turns it into a smart input device for your smart home.

Grow your own automations.
Let’s say you want to air out your house because it’s nice outside. You probably don’t want your air conditioner blasting while you’re doing so. You can set a condition that says if a window is open, but you’re still at home, shut off the AC. You can use a motion sensor to turn a light on when you enter the kitchen at night. You can use a temperature sensor to trigger a thermostat if, say, the upstairs office gets too hot.
As I mentioned earlier, Abode works with IFTTT, Alexa, Google Home, and Apple’s HomeKit, which makes it a very capable system.

Final thoughts
As a home security system, Abode is not all that different from Nest or Simplisafe, or all of the other modern app-enabled security systems. It supports its own selection of sensors, reports back to its own monitoring service, and requires a fee for more advanced features.
But where Abode does stand out is its automation capability. While sensor input can work with other hubs (my Samsung Smarthings Hub, for example, takes in sensor input and triggers actions), the Abode links those actions with all the key smart home environments. If you don’t have some other smart home hub, getting the Abode gets you one, along with that full alarm system.
But, and this is my warning for Abode, the primary advantage of this product is software-based — a well-designed app. Well designed apps for IoT devices are being implemented everywhere. If Abode wants to continue with an advantage, I encourage them to continue to innovate and add features to their smart home app, focusing on ease of use and depth of capability.
Most smart home systems break down when it comes to factoring in multiple conditions. For example, no code-free smart home system can handle a condition like “these three sensors have triggered, these two have not, it’s after 6pm but before midnight, and Dad isn’t home.” These are the kinds of automations that might give Abode a substantial advantage, and we hope to see them move in that direction.
Bottom line is, as an alarm system, the Abode is price and feature competitive. But as a smart home system with an alarm, the Abode system is stand-out – for now.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

A notorious botnet campaign has surged in activity over the past month, with cyber criminals using it to distribute a ransomware campaign alongside other malware.
Researchers at cybersecurity provider Check Point analysed the most common cyber threats targeting organisations for it’s June 2020 Most Wanted Malware report and saw a huge rise in attacks coming via the Phorpiex botnet.

More on privacy

Phorpiex is known for distributing a number of malware and spam campaigns, including largescale sextortion email campaigns, but over the course of June the number of detections increased significantly compared to May.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
The rise in Phorpiex detections grew to such an extent that it was the second most detected malware campaign during June, having been ranked at 13 in May. The number of attempted attacks was so high that 2% of organisations were targeted by the botnet.

The botnet sends out spam emails that attempt to deliver a malicious payload to victims. Over the past month it’s been used to power an Avaddon ransomware campaign.
This particular ransomware family only appeared in June and Phorpeix attempts to lure victims into opening a Zip file attachment in a phishing email that uses a wink emoji as the subject. It might sound like a basic form of cyberattack, but criminals wouldn’t be using it if it didn’t work.
Previously, Phorpiex – which is also known as Trik – has been used to distribute spam campaigns for other forms of ransomware, including GandCrab and Pony, as well as being used to mine for cryptocurrency on infected machines.
“Organisations should educate employees about how to identify the types of malspam that carry these threats, such as the latest campaign targeting users with emails containing a wink emoji, and ensuring they deploy security that actively prevents them from infecting their networks,” warned Check Point researchers in a blog post.
While Porpiex attacks have risen significantly, the most commonly detected malware during June was Agent Tesla, an advanced remote access trojan that was detected targeting 3% of organisations.
Agent Tesla is an information stealer and a keylogger, providing attackers with the ability to see absolutely everything on the infected computer, including usernames, passwords, browser history, system information and more – everything needed to very much compromise a network.
June’s third most detected malware was XMRig, an open-source cryptocurrency mining malware that uses CPU power of infected machines to generate Monero. It has been active since May 2017.
SEE: DDoS botnet coder gets 13 months in prison
The remainder of the top 10 most wanted malware for June is made up of familiar names including Dridex, Trickbot, Ramnit and Emotet that have long been staples of cyber-criminal activity, either by stealing information themselves, or being used as a stepping stone for much more destructive campaigns. For example, Trickbot and Emotet are often used as the first stage of largescale ransomware attacks.
Many of the common forms of malware rely on exploits and vulnerabilities that have long been known, so can be protected against by applying security patches, which in some cases have been available for years.
MORE ON CYBERSECURITY More

Has youriPhone, iPad, or iPod touch been hacked? Probably not, but there’s so much information on a smartphone — not to mention the fact that it can also be used to precisely pinpoint its owner — that more and more tools exist to help unscrupulous people get a foot in the door of your digital fortress.

The good news is that tools exist to help you determine whether your device has been compromised. One such tool that I’ve been testing is Certo AntiSpy.
Certo AntiSpy is not an app. Instead, it is a utility that you download and install on a Windows or Mac, and you use that to scan a backup of your iOS or iPadOS for subtle signs of intrusion.
You do need a local backup of your device — which under macOS Catalina no longer uses iTunes but instead Finder — but having a local backup of your device is not a bad thing, so this tool can also help you prevent data loss.
Must read: Five iPhone security settings you should check today

How Certo AntiSpy works is easy. You make a local backup of your device, and then you let it loose on it. It scans for jailbreaks, looks for spyware, and will warn you if known tracking apps are installed.
Additionally, it also carries out a privacy audit on the apps you have installed, giving you an at-a-glance view of which apps have access to your location, microphone, or camera.
It’s quick too, with a scan of a packed iPhone taking a few minutes.
As with most good things in life, Certo AntiSpy is not free. It’s offered as a yearly subscription package in three tiers — Basic is aimed at home users for $29.95 per year, Pro for $49.95 per year, and Ultimate is for at businesses or customers with many devices for $89.95 pear year.
View Now at Certo AntiSpy

Don’t want to spend money on a tool to scan your iPhone? Then one of the best security measures you can take with an iPhone or iPad is to reboot it regularly — hacks and jailbreaks don’t survive that.
More iPhone security tips here. More

What is ransomware?
Ransomware is one of the biggest security problems on the internet and one of the biggest forms of cybercrime that organisations face today. Ransomware is a form of malicious software – malware – that encrypts files and documents on anything from a single PC all the way up to an entire network, including servers. Victims can often be left with few choices; they can either regain access to their encrypted network by paying a ransom to the criminals behind the ransomware, or restore from backups or hope that there is a decryption key freely available.
Some ransomware infections start with someone clicking on what looks like an innocent attachment that, when opened, downloads the malicious payload and encrypts the network.
Other, much larger ransomware campaigns use software exploits and flaws, cracked passwords and other vulnerabilities to gain access to organisations using weak points such as internet-facing servers or remote-desktop logins to gain access. The attackers will secretly hunt through the network until they control as much as possible – before encrypting all they can.
It can be a headache for companies of all sizes if vital files and documents, networks or servers are suddenly encrypted and inaccessible. Even worse, after you are attacked with file-encrypting ransomware, criminals will brazenly announce they’re holding your corporate data hostage until you pay a ransom in order to get it back.

It might sound too simple, but it’s working.
What is the history of ransomware?
While ransomware exploded last year, increasing by an estimated 748%, it’s not a new phenomenon: the first instance of what we now know as ransomware appeared in 1989.
Known as AIDS or the PC Cyborg Trojan, the virus was sent to victims – mostly in the healthcare industry – on a floppy disc. The ransomware counted the number of times the PC was booted: once it hit 90, it encrypted the machine and the files on it and demanded the user ‘renew their license’ with ‘PC Cyborg Corporation ‘ by sending $189 or $378 to a post office box in Panama.

The AIDS demand for payment – by post.
Image: Sophos
How did ransomware evolve?
This early ransomware was a relatively simple construct, using basic cryptography that mostly just changed the names of files, making it relatively easy to overcome.
But it set off a new branch of computer crime, which slowly, but surely, grew in reach – and really took off in the internet age. Before they began using advanced cryptography to target corporate networks, hackers were targeting general internet users with basic ransomware.
One of the most successful variants was ‘police ransomware’, which tried to extort victims by claiming the PC had been encrypted by law enforcement. It locked the screen with a ransom note warning the user they’d committed illegal online activity, which could get them sent to jail.
However, if the victim paid a fine, the ‘police’ would let the infringement slide and restore access to the computer by handing over the decryption key. Of course, this wasn’t anything to do with law enforcement – it was criminals exploiting innocent people.

An example of ‘police ransomware’ threatening a UK user.
Image: Sophos
While somewhat successful, these forms of ransomware often simply overlaid their ‘warning’ message on the user’s display – and rebooting the machine could get rid of the problem and restore access to files that were never really encrypted.
Criminals learned from this and now the majority of ransomware schemes use advanced cryptography to truly lock down an infected PC and the files on it.
What are the main types of ransomware?
Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware that have been much more successful than others.
The most prolific family of ransomware during 2020 so far is Sodinokibi, which has plagued organisations around the world since emerging in April 2019.
Also known as REvil, this ransomware has been responsible for encrypting the networks of a large number of high-profile organisations including, Travelex and a New York law firm with celebrity clients.
The gang behind Sodinokibi spend a long time laying the groundwork for an attack, stealthily moving across the compromised network to ensure that everything possible can be encrypted before the ransomware attack is launched.
Those behind Sodinokibi have been known to demand payments of millions of dollars in exchange for decrypting the data. And given the hackers often gain full control of the network, those organisations that refuse to pay the ransom after falling victim to Sodinokibi also find the gang threatening to release stolen information if the ransom isn’t paid.
Sodinokibi isn’t the only ransomware campaign that threatens to leak data from victims as additional leverage for extorting payment; ransomware gangs like Maze, Doppelpaymer and Ragnarlocker also threaten to publish stolen information if the victim doesn’t pay up.
New ransomware families are emerging all the time while others suddenly disappear or go out of fashion, with novel variations constantly emerging on underground forums. Any of the top forms of ransomware right now could be yesterday’s news in just a few months.
For example, Locky was once the most notorious form of ransomware, creating havoc within organisations around the world throughout 2016, spreading via phishing emails. Locky remained successful because those behind it regularly updated the code to avoid detection. They even updated it with new functionality, including the ability to make ransom demands in 30 languages, so criminals can more easily target victims around the world. At one point Locky became so successful, it rose to become one of the most prevalent forms of malware in its own right. However, under a year later it appeared to have disappeared and has remained unheard of since.
The following year, it was Cerber that became the most dominant form of ransomware, accounting for 90% of ransomware attacks on Windows in April 2017. One of the reasons Cerber became so popular was the way it was distributed as ‘ransomware-as-a-service’, allowing users without technical know-how to conduct attacks in exchange for some of the profits going back to the original authors. 
While Cerber seemed to disappear by the end of 2017, it pioneered the ‘as-a-service’ model’ that is popular with many forms of ransomware today.
Another successful form of ransomware in 2017 and 2018 was SamSam, which became one of the first families to become notorious not just for for charging a ransom of tens of thousands of dollars for the decryption key, but exploiting unsecured internet-facing systems as a means of infection and spreading laterally across networks.
In November 2018, the US Department of Justice charged two hackers working out of Iran with creating SamSam ransomware, which is reported to have made over $6m in ransom payments over the course of a year. Shortly afterwards, SamSam appeared to cease as an active form of ransomware. 
Throughout 2018 and 2019, another family of ransomware that proved problematic for both businesses and home users was GandCrab, which Europol described as “one of the most aggressive forms of ransomware” at the time. 
GandCrab operated ‘as-aa-service’ and received regular updates, meaning that even when security researchers cracked it and were able to release a decryption key, a new version of the ransomware with a new method of encryption would appear soon after.
Highly successful throughout the first half of 2019 in particular, the creators of GandCrab suddenly announced the operation was shutting down, claiming to have made $2.5 million a week from leasing it out to other cyber-criminal users. GandCrab disappeared a few weeks later, although it appears as if the attackers could have just switched their focus to another campaign; researchers have suggested strong similarities in the code of GandGrab when compared to Sodinokibi, which is still going strong in 2020.
What is WannaCry ransomware?
In the biggest ransomware attack to date, WannaCry – also known as WannaCrypt and Wcry – caused chaos across the globe in an attack that started on Friday 12 May 2017.
WannaCrypt ransomware demands $300 in bitcoin for unlocking encrypted files – a price that doubles after three days. Users are also threatened, via a ransom note on the screen, with having all their files permanently deleted if the ransom isn’t paid within a week.

WannaCry ransomware infected Windows XP systems across the globe.
Image: Cisco Talos
More than 300,000 victims in over 150 countries fell victim to the ransomware over the course of one weekend, with businesses, governments, and individuals across the globe all affected.
Healthcare organisations across the UK had systems knocked offline by the ransomware attack, forcing patient appointments to be cancelled and led to hospitals telling people to avoid visiting Accident and Emergency departments unless it was entirely necessary.
Of all the countries affected by the attack, Russia was hit the hardest, according to security researchers, with the WannaCry malware crashing Russian banks, telephone operators, and even IT systems supporting transport infrastructure. China was also hit hard by the attack, with 29,000 organisations in total falling victim to this particularly vicious form of ransomware.
Other high-profile targets included the car manufacturer Renault, which was forced to halt production lines in several locations as the ransomware played havoc with systems.
The ransomware worm is so potent because it exploits a known software vulnerability called EternalBlue. The Windows flaw is one of many zero-days that apparently was known by the NSA – before being leaked by the Shadow Brokers hacking collective. Microsoft released a patch for the vulnerability earlier this year – but only for the most recent operating systems.
In response to the attack, Microsoft took the unprecedented step of issuing patches for unsupported operating systems to protect against the malware.
Security services in the US and the UK have since pointed to North Korea as being the perpetrator of the WannaCry ransomware attack, with the White House officially declaring Pyongyang as the source of the outbreak.
However, North Korea has labelled accusations that it was behind WannaCry as “absurd”.
No matter who was ultimately behind WannaCry, if the goal of the scheme was to make large amounts of money, it failed – only about $100,000 was paid.
It was almost three months before the WannaCry attackers finally withdrew the funds from the WannaCry bitcoin wallets – they made off with a total of $140,000 thanks to fluctuations in the value of bitcoin.
But despite critical patches being made available to protect systems from WannaCry and other attacks exploiting the SMB vulnerability, a large number of organisations seemingly chose not to apply the updates.
It’s thought that this is the reason LG suffered a WannaCry infection in August – three month after the initial outbreak. The company has since said it has applied the relevant patches.
The public dump of the EternalBlue exploit behind WannaCry has led to various hacking groups attempting to leverage it to boost their own malware. Researchers have even documented how a campaign targeting European hotels by APT28 – a Russian hacking group linked with meddling in the US presidential election – is now using the leaked NSA vulnerability.
What was NotPetya ransomware?
A little over a month after the WannaCry ransomware outbreak, the world was hit with another global ransomware attack.
This cyberattack first hit targets in Ukraine, including its central bank, main international airport, and even the Chernobyl nuclear facility, before quickly spreading around the globe, infecting organisations across Europe, Russia, the US, and Australia.
After some initial confusion as to what this malware was – some said it was Petya, some said it was something else, hence the name NotPetya – researchers at Bitdefender came to the conclusion that the outbreak was down to a modified version of Petya ransomware, combining elements of GoldenEye – a particularly vicious relative of Petya – and WannaCry ransomware into extremely potent malware.

Petya ransom note.
Image: Symantec
This second form of ransomware also exploits the same EternalBlue Windows exploit that provided WannaCry with the worm-like features to spread through networks (not simply through an email attachment as is often the case) and hit 300,000 computers around the world.
However, NotPetya is a much more vicious attack. Not only does the attack encrypt victims’ files, it also encrypts entire hard drives by overwriting the master reboot record, preventing the computer from loading the operating system or doing anything.
The attackers ask for a bitcoin ransom of $300 to be sent to a specific email address, which was shut down by the email service host. However, the way this very sophisticated ransomware was apparently equipped with very basic, non-automated functions for accepting ransoms has led some to suggest that money wasn’t the goal.
This led many to believe the ransomware note was just a cover for the real goal of the virus – to cause mayhem by irrecoverably wiping data from infected machines.
Whatever the aim of the attack, it significantly impacted the finances of the organisations that became infected. UK consumer goods firm Reckitt Benckiser said it lost £100m in revenue as a result of falling victim to Petya.
But that’s a relatively modest loss in comparison to other victims of the attack: shipping and supply vessel operator Maersk and goods delivery company FedEx have both estimated losses of $300m due to the impact of Petya.
In February 2018, the governments of the United Kingdom, the United States, Australia and others officially declared that the NotPetya ransomware had been the work of the Russian military. Russia denies any involvement.
What is Bad Rabbit ransomware?
October 2017 saw the third high-profile ransomware attack of the year when organisations in Russia and Ukraine fell victim to a new variant of Petya ransomware.
Dubbed Bad Rabbit, it infected at least three Russian media organisations while also infiltrating the networks of several Ukrainian organisations including the Kiev Metro and Odessa International Airport – at the time, the airport said it had fallen victim to a ‘hacker attack’.
The initial attack vector used to distribute Bad Rabbit was drive-by downloads on hacked websites – some of which had been compromised since June. No exploits were used, rather visitors were told they had to install a phony Flash update, which dropped the malware.

Bad Rabbit ransom note.
Image: Kaspersky Lab
Like NotPetya before it, Bad Rabbit spread through networks using a leaked NSA hacking tool – but this time it was via the EternalRomance SMB vulnerability, rather than the EternalBlue exploit.
Analysis of Bad Rabbit showed that it shared much of its code – at least 67% – with Peyta and researchers at Cisco Talos concluded that this, combined with how it uses SMB exploits, means there’s “high confidence” in a link between the two forms of ransomware – and that they could even share the same author.
Bad Rabbit was named after the text that appeared at the top of the Tor website hosting the ransom note. Some security researchers joked it should’ve been named after the lines in the code referencing characters from Game of Thrones.
How much will a ransomware attack cost you?
Obviously, the most immediate cost associated with becoming infected with ransomware – if it’s paid – is the ransom demand, which can depend on the type of ransomware or the size of your organisation.
Ransomware attacks can vary in size but it’s becoming increasingly common for hacking gangs to demand millions of dollars in order to restore access to the network. And the reason hacking gangs are able to demand this much money is, put simply, because plenty of organisations will pay.
That’s especially the case if the network being locked with ransomware means that organisation can’t do business – they could lose large amounts of revenue for each day, perhaps even every hour, the network is unavailable. It’s estimated that the NotPetya ransomware attack cost shipping firm Maersk up to $300m in losses.
If an organisation chooses not to pay the ransom, not only will they find themselves losing revenue for a period of time that could last weeks, perhaps months, they’ll likely find themselves paying a large sum for a security company to come in and restore access to the network. In some cases, this might even cost more than the ransom demand, but at least in this instance the payment is going to a legitimate business rather than funding criminals.
Whichever way the organisation deals with a ransomware attack, it’ll also have a financial impact going forward; because to protect against falling victim again, an organisation will need to invest in its security infrastructure, even if that means ripping out the network and starting over again.
On top of all of this, there’s also the risk of customers losing trust in your business because of poor cybersecurity and taking their business elsewhere.
Why should businesses worry about ransomware?
To put it simply: ransomware could ruin your business. Being locked out of your own files by malware for even just a day will impact on your revenue. But given that ransomware takes most victims offline for at least a week, or sometimes months, the losses can be significant. Systems go offline for so long not just because ransomware locks the system, but because of all the effort required to clean up and restore the networks.
And it isn’t just the immediate financial hit of ransomware that will damage a business; consumers become wary of giving their data to organisations they believe to be insecure.

A spam email claiming the target has purchased a flight – complete with fake invoice containing the ransomware.
Image: Symantec
Why are small businesses targets for ransomware?
Small and medium-sized businesses are a popular target because they tend to have poorer cybersecurity than large organisations. Despite that, many SMEs falsely believe they’re too small to be targeted – but even a ‘smaller’ ransom of a few hundred dollars is still highly profitable for cyber criminals.
Why is ransomware so successful?
You could say there’s one key reason why ransomware has boomed: because it works. All it takes for ransomware to gain entry to your network is for one user to slip up and launch a malicious email attachment, or to re-use a weak password.
If organisations weren’t giving in to ransom demands, criminals would stop using ransomware. But businesses do need access to data in order to function so many are willing to pay a ransom and get it over and done with.
Meanwhile, for criminals it’s a very easy way to make money. Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result in instant payments of hundreds or even thousands of dollars from large swathes of infected victims at once?
What does bitcoin and other cryptocurrency have to do with the rise of ransomware?
The rise of crypocurrencies like bitcoin has made it easy for cyber criminals to secretly receive payments extorted with this type of malware, without the risk of the authorities being able to identify the perpetrators.
The secure, untraceable method of making payments – victims are asked to make a payment to a bitcoin address – makes it the perfect currency for criminals who want their financial activities to remain hidden.
Cyber-criminal gangs are constantly becoming more professional – many even offer customer service and help for victims who don’t know how to acquire or send bitcoin, because what’s the point of making ransom demands if users don’t know how to pay? Some organisations have even hoarded some of the cryptocurrency in case they get infected or their files are encrypted and have to pay in bitcoin in a hurry.

Globe3 ransom demand for 3 Bitcoin – including a ‘how to’ guide for those who don’t know how to buy it.
Image: Emsisoft Lab
How do you prevent a ransomware attack?
With large numbers of ransomware attacks starting with hackers exploiting insecure internet-facing ports and remote desktop protocols, one of the key things an organisation can do to prevent itself falling victim is by ensuring, unless it’s essential, that ports aren’t exposed to the internet if they don’t need to be.
When remote ports are necessary, organisations should make sure that the login credentials have a complex password to protect against criminals looking to deploy ransomware from being able to crack simple passwords using brute force attacks as a way in. Applying two-factor authentication to these accounts can also act as a barrier to attacks, as there will be an alert if there’s any attempt at unauthorised access.
Organisations should also make sure that the network is patched with the latest security updates, because many forms of ransomware – and other malware – are spread via the use of commonly known vulnerabilities.
EternalBlue, the vulnerability that powered WannaCry and NotPetya is still one of the most common exploits used to spread attacks – despite the security patch to protect against it having been available for over three years.
When it comes to stopping attacks via email you should provide employees with training on how to spot an incoming malware attack. Even picking up on little indicators like poor formatting, or that an email purporting to be from ‘Microsoft Security’ is sent from an obscure address that doesn’t even contain the word Microsoft within it, might save your network from infection. The same security policies that protect you from malware attacks in general will go some way towards preventing ransomware from causing chaos for your business.
There’s also something to be said for enabling employees to learn from making mistakes while within a safe environment. For example, one firm has developed an interactive video experience that allows its employees to make decisions on a series of events then find out the consequences of those at the end. This enables them to learn from their mistakes without suffering any of the actual consequences.
On a technical level, stopping employees from being able to enable macros is a big step towards ensuring that they can’t unwittingly run a ransomware file. Microsoft Office 2016, and now Microsoft Office 2013, both carry features that allow macros to be disabled. At the very least, employers should invest in antivirus software and keep it up-to date, so that it can warn users about potentially malicious files. Backing up important files and making sure those files can’t be compromised during an attack in another key.
How long does it take to recover from a ransomware attack?
Simply put, ransomware can cripple a whole organisation – an encrypted network is more or less useless and not much can be done until systems are restored.
If your organisation is sensible and has backups in place, systems can be back online in the time it takes the network to be restored to functionality, although depending on the size of the company, that could range from a few hours to days.
However, while it’s possible to regain functionality in the short term, it can be the case that organisations struggle to get all systems back up and running – as demonstrated by the Petya attack.
A month on from the outbreak, Reckitt Benckiser confirmed that some of its operations were still being disrupted and wouldn’t be fully up and running until two months on from the initial Petya outbreak.
Outside of the immediate impact ransomware can have on a network, it can result in an ongoing financial hit. Any time offline is bad for a business as it ultimately means the organisation can’t provide the service it sets out to, and can’t make money, but the longer the system is offline, the bigger that can be.
That’s if your customers want to do business with you: in some sectors, the fact you’ve fallen victim to a cyberattack could potentially drive customers away.
How do I remove ransomware?
The ‘No More Ransom’ initiative – launched in July 2016 by Europol and the Dutch National Police in collaboration with a number of cybersecurity companies including Kaspersky Lab and McAfee – offers free decryption tools for ransomware variants to help victims retrieve their encrypted data without succumbing to the will of cyber extortionists.
The portal offers decryption tools four for families of ransomware – Shade, Rannoh, Rakhn, and CoinVault – and the scheme is regularly adding more decryption tools for even more versions of ransomware.
The portal – which also contains information and advice on avoiding falling victim to ransomware in the first place – is updated as often as possible in an effort to ensure tools are available to fight the latest forms of ransomware.
No More Ransom has grown from offering a set of four tools to carrying a vast number of decryption tools covering hundreds of families of ransomware. So far, these tools have decrypted tens of thousands of devices, depriving criminals of millions in ransoms.
The platform is now available in dozens of languages with more than 100 partners across the public and private sectors supporting the scheme.

The No More Ransom portal offers free ransomware decryption tools.
Image: Europol
Individual security companies also regularly release decryption tools to counter the ongoing evolution of ransomware – many of these will post updates about these tools on their company blogs as soon as they’ve cracked the code.
Another way of working around a ransomware infection is to ensure your organisation regularly backs up data offline. It might take some time to transfer the backup files onto a new machine, but if a computer is infected and you have backups, it’s possible just to isolate that unit then get on with your business. Just make sure that crypto-locking crooks aren’t able to encrypt your backups, too.
Should I pay a ransomware ransom?
There are those who say victims should just pay the ransom, citing it to be the quickest and easiest way to retrieve their encrypted data – and many organisations do pay even if law enforcement agencies warn against it.
But be warned: if word gets out that your organisation is an easy target for cyber criminals because it paid a ransom, you could find yourself in the crosshairs of other cyber criminals who are looking to take advantage of your weak security. And remember that you’re dealing with criminals here and their very nature means they may not keep their word: there’s no guarantee you’ll ever get the decryption key, even if they have it. Decryption isn’t even always possible: there are stories of victims making ransom payments and still not having encrypted files unlocked.
For example, a type of ransomware targeting Linux discovered earlier this year demanded a bitcoin payment but did not store encryption keys locally or through a command-and-control server, making paying the ransom futile at best.
Can you get ransomware on your smartphone?
Absolutely. Ransomware attacks against Android devices have increased massively, as cyber criminals realise that many people aren’t aware that smartphones can be attacked and the contents (often more personal than the stuff we keep on PCs) encrypted for ransom by malicious code. Various forms of Android ransomware have therefore emerged to plague mobile users.
In fact, any internet-connected device is a potential target for ransomware, which has already been seen locking smart TVs.

Researchers demonstrate ransomware in an in-car infotainment system.
Image: Intel Security
Ransomware and the Internet of Things
Internet of Things devices already have a poor reputation for security. As more and more of these make their way onto the market, they’re going to provide billions of new attack vectors for cyber criminals, potentially allowing hackers to hold your connected home or connected car hostage. An encrypted file is one thing: but what about finding a ransom note displayed on your smart fridge or toaster?
There’s even the potential that hackers could infect medical devices, putting lives directly at risk.
In March 2018, researchers at IOActive took this once step further by demonstrating how a commercially available robot could come under a ransomware attack. In addition to making the robot verbally demand payment in order to be returned to normal, researchers also made it issue threats and swear.
As ransomware continues to evolve, it’s therefore crucial for your employees to understand the threat it poses, and for organisations to do everything possible to avoid infection, because ransomware can be crippling and decryption is not always an option.
Read more about ransomware More