Ransomeware

BY JUAN MARTINEZ 

JUNE 28, 2017, 1:59 A.M.

Read this to learn more about the WannaCry ransomware crisis and what you need to stay safe from future attacks

Earlier this month, a strain of ransomware infected more than 300,000 Windows PCs around the world. The awesomely namedWannaCry strain demanded that infected businesses and individuals pay $300 in order to unlock each machine—as well as the data stored on their devices. Some people paid the ransom, while others were lucky enough to wait it out and be rescued by a hero who accidentally stopped the attack by registering the unregistered domain on which the ransomware lived.

Now that the attack has been thwarted, it appears that new WannaCry variants are emerging, and a massive, unrelated ransomware attack hit Eastern Europe. As ransomware attacks become trickier and more difficult to stop, your company is more likely than ever to be at risk. As a result, we've compiled this list of post-mortem steps on what happened, how you can protect your business and yourself, and what you should do if you fall victim to an attack.

1. Be Defensive

You're going to need to be smarter about which emails you open, which links you click, and which files you download. Phishing attacks are common and they're easy to fall victim to. Unfortunately, WannaCry wasn't your typical phishing attack. Instead, this attack manipulated a Windows vulnerability, one that had already been patched by Microsoft earlier this year.

So, how did it get through? You know those annoying pop-up notifications that software manufacturers send to your computer? They're not just alerting you to new features; they're adding patches to your software that will help to protect against attacks like WannaCry. The same goes for your endpoint protectionsoftware. If your vendor asks you to update, then update. In this case, it appears the attackers were able to penetrate systems that had not recently been updated and, as a result, hospitals were crippled and lives were put in jeopardy (more on this later).

"The global fallout of this attack could have easily been prevented by deploying the security update once it was made available by Microsoft," said Liviu Arsene, Senior E-Threat Analyst at Bitdefender. "The lesson to be learned from this experience is to always apply security patches and updates when they become available, not just for operating systems but for applications as well. Of course, a security solution might prevent the payload—in this case, ransomware—from infecting victims. But more advanced and sophisticated threats could potentially leverage the operating system vulnerability to gain persistency and bypass traditional security mechanisms undetected."

2. Back that Cache Up

The worst thing about an attack of this variety is that it gains access to your data. However, the responsible among us don't need to worry about this very much because they have been using disaster recovery (DR) software to ensure that their information is alive and well in the cloud. If you wind up getting hit with a ransomware attack, then having access to your full trove of data in the cloud means you can simply factory-reset your machine, pull in your backed up data, and start working again.

Image Via: McAfee

3. Don't Pay, Silly

As much as you'd like to retrieve your unfinished screenplay, paying hostage takers seldom works. Instead, contact the FBI and let them know you've become the victim of a cyberattack. If you desperately need your data and you don't have a backup stored elsewhere, then just sit tight and wait. Also, if you don't need your data or if you have backed it up, then just reset your machine and start from scratch.

Whatever you do, don't pay. Here's why: There's a good possibility the hacker won't actually release your data. Now you're out $300 and you're still out of luck. Also, paying could actually expose you to additional risk because you've shown a willingness to give into the hackers' demands. So, in the very best-case scenario, you've paid, gotten your data back, and given a criminal incentive to try to attack you again in the future.

"No one is ever encouraged to give in to ransomware demands," said Arsene. "In fact, if no backups are available from which to restore lost data, companies or individuals should treat the incident as hardware failure and move on. Paying would only fuel cybercriminals with the financial resources to keep developing new threats. And there's no actual guarantee that you'll actually receive the decryption key. You are actually dealing with criminals here."

4. What You Should Do

As I previously mentioned, backing up your data and running a factory-reset on your hardware, will let you walk away from a ransomware attack without having experienced much real damage. Here's a step-by-step procedure for what to do when that ransom note hits your screen: 1) Unplug your computer and unplug your computer from its network. 2) Fully wipe your device and restore it from a backup. 3) Install all security patches and updates and add a security solutionlike Bitdefender to your software mix. 4) Contact the FBI.

5. Businesses Must Get Serious

"There are security layers that companies can deploy to protect infrastructures from zero-day vulnerabilities in both operating systems and applications," said Arsene. Arsene recommends organizations running virtual infrastructures deploy a hypervisor-based memory introspection technology that's capable of securing virtual workloads.

"This new security layer that sits below the operating system can detect zero-day vulnerabilities, like the SMB v1 vulnerability leveraged by WannaCry, and prevent attackers from ever exploiting it, even if the system is unpatched or the vulnerability is completely unknown," Arsene explained. "This complementary security layer, coupled with traditional in-guest security solutions and constant software patching, increases the cost of attack for cybercriminals while giving organizations more visibility into advanced attacks."

IP Address and Call Records

1. IP Address as an Evidence :
2.  IP address alone I feel cannot be a conclusive evidence and I have proved in many cases in lower courts .
3.  • Judge Gary Brown in the United States District Court of the Eastern District of New York adjudged below : 
4. • "The assumption that the person who pays for Internet access at a given location is the same individual who allegedly downloaded a single sexually explicit film is tenuous, and one that has grown more so over time," he writes. "An IP address provides only the location at which one of any number of computer devices may be deployed, much like a telephone number can be used for any number of telephones."
5.  • "Thus, it is no more likely that the subscriber to an IP address carried out a particular computer function – here the purported illegal downloading of a single pornographic film – than to say an individual who pays the telephone bill made a specific telephone call," . Adv Prashant Mali - Cyber Law Expert (prashant.mali@cyberlawconsulting.com)
6. CDR(Call Data Records) as an Evidence :
7. Today Investigation agencies gets paralyzed when a accused doesn’t use Mobile phone.as the investigation starts majorly around CDR. 
8. • Call Data Records do aid in preliminary investigation but cannot be taken as conclusive evidence because of following problems 1. The mobile handset or SIM could be on someone else name, as written in receipt/invoice. 2. Call Data Records are not certified 3. SIM card was cloned or IMEI number Spoofed(changed) 4. Mobile Number snooping had taken place using S/W In Bombay Bomb Blast case Sanjay Dutt CDR were admitted and the same were in Parliament Attack case Adv Prashant Mali - Cyber Law Expert 

Notes/Study Materials

Computer Forensics Notes/ Study Material

BTech IV I Sem (Computer Forensics) Updated
Theory	Practical
1.       1.   Unit I Part I         Download 2.       Unit I Part II       Download 3.       Unit I Part III     Download 4.       Unit II Part I       Download 5.       Unit II Part II     Download 6.       Unit II Part III   Download

How to Install and Run the Windows 8.1 Preview in Hyper-V

The big announcement from //BUILD 2013 is the pending arrival of Windows 8.1, aka “Windows Blue,” and Microsoft made Windows 8.1 available for download immediately following the //BUILD keynote on Wednesday.

Like many developers, the MarkedUp Analytics team is naturally excited to try new things; that being said – we also don’t like having to wipe a dev machine and re-image it in the event that a beta release of Windows isn’t compatible with tools we use for doing our jobs every day.

So, we use Hyper-V or VirtualBox and run Windows 8.1 in a VM until it’s released to market.

Here’s how to get Windows 8.1 running in Hyper-V:

1. Download the Windows 8.1 Preview ISO

Download any of the Windows 8.1 Preview ISO images here. Pick whichever one best suits your needs. I’m going to use the English 64-bit .ISO.

2. Open Hyper-V and create a new virtual machine

If you’re running Windows 8 already, Hyper-V comes built into the operating system. Once the Windows 8.1 preview ISO is finished downloading you’ll want to create a new VM.

We’ll name our VM “Windows 8.1 Preview” and use the default storage location.

Windows 8 needs at least 2GB of RAM on a 64-bit system; I’m going to give this VM 4GB since I plan on running Visual Studio and some other RAM-intensive software on it later.

For now we’re going to leave the VM’s network as “Not Connected” – we’ll create a Virtual Network Adapter for it later.

If you already have a Hyper-V virtual network adapter that can share Internet connectivity with the host machine, use it here. Otherwise we’ll add one later after the OS installation on the VM is complete.

Windows 8 needs at least 20GB of disk space on a 64-bit system. I’m going to give this VM 40GB and I’m going to use a dynamically expanding disk.

Dynamically expanding disks will be slow initially, but it saves room on the host machine in the event that you don’t occupy the entire VHD volume immediately.

If speed is an issue, you can create a fixed-size disk up front.

3. Install Windows 8.1 Preview from ISO

Now we’re going to use the Windows 8.1 Preview .ISO file we downloaded earlier to install the operating system while we finalize our VM.

This option will have you complete the Windows 8.1 Preview installation the first time the VM boots, using the .ISO file you downloaded earlier as the bootable media.

With all of those steps complete, you should now see the “Windows 8.1 Preview” VM on your Hyper-V list:

Select the Windows 8.1 Preview VM and start it, and you should see the first “Install Windows” screen after a few seconds:

Click next.

You’ll need to enter in a product key for Windows 8.1 Preview during the first part of the installation process.

The product key for Windows 8.1 Preview is NTTX3-RV7VB-T7X7F-WQYYY-9Y92F, according to Microsoft’s official Windows 8.1 Preview installation instructions.

If you see the following message and it asks you to choose between an upgrade and a custom installation, Select “Custom: Install Windows only.”

Install Windows 8.1 on the VHD that we created earlier.

Let the Windows 8.1 Preview installation run to completion. And after 30 minutes or so you should be able to create a local Windows account and log in.

4. If you don’t have one already, create a Virtual Network Adapter for Windows 8.1

If you didn’t have a Virtual Network Adapter ready during step 2, we’ll create one now.

First, shut down your Windows 8.1 Preview VM and turn it off – we’re about to make some changes to it.

Open up the Hyper-V manager and go to “Virtual Switch Manager.”

Select “New virtual network switch.” Give the switch a name and make it an External Network. If you have multiple physical network adapters (i.e. ethernet and WiFi), use whichever one you use most often. Check the “allow management operating system to share this network adapter” box.

Apply changes.

Go back to your VMs and right click on the “Windows 8.1 Preview” VM you created – select “Settings,” then select “Network Adapter.”

Change the Virtual switch to the new switch you just created; mine is called “Magical Switch.”

Apply changes. Before we try starting the VM, let’s make sure that our switch was set up correctly – I often have trouble getting Hyper-V’s network adapters to behave properly the first time around.

Go to Control Panel and then to View Network Connections. Right click on the new switch you just created and select Properties.

Only the following properties should be set:

• Client for Microsoft Networks
• QoS Packet Scheduler
• File and Printer Sharing for Microsoft Networks
• Microsoft LLDP Protocol Driver
• Link-layer Topology Discovery Mapper I/O Driver
• Link-layer Topology Discovery Responder
• Internet Protocol Version 6 (TCP/IPv6) and
• Internet Protocol Version 4 (TCP/IPv4)

You will likely need to reboot your host machine in order to get the Internet working again. Go ahead and do that now.

5. Start Windows 8.1 Preview; Profit

You now should be able to start your Windows 8.1 VM in Hyper-V and connect to the Internet.

Introduction to Cyber Law of India (Part 1)

In Simple way we can say that cyber crime is unlawful acts wherein the computer is either a tool or a target or both

Cyber crimes can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian Penal Code. The abuse of computers has also given birth to a gamut of new age crimes that are addressed by the Information Technology Act, 2000.

We can categorize Cyber crimes in two ways

The Computer as a Target :-using a computer to attack other computers.

e.g. Hacking, Virus/Worm attacks, DOS attack etc.

The computer as a weapon :-using a computer to commit real world crimes.

e.g. Cyber Terrorism, IPR violations, Credit card frauds, EFT frauds, Pornography etc.

Cyber Crime regulated by Cyber Laws or Internet Laws.

Technical Aspects

Technological advancements have created new possibilities for criminal activity, in particular the criminal misuse of information technologies such as

a. Unauthorized access & Hacking:-

Access means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network.

Unauthorized access would therefore mean any kind of access without the permission of either the rightful owner or the person in charge of a computer, computer system or computer network.

Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money.

By hacking web server taking control on another persons website called as web hijacking

b. Trojan Attack:-

The program that act like something useful but do the things that are quiet damping. The programs of this kind are called as Trojans.

The name Trojan Horse is popular.

Trojans come in two parts, a Client part and a Server part. When the victim (unknowingly) runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the trojan.

TCP/IP protocol is the usual protocol type used for communications, but some functions of the trojans use the UDP protocol as well.

c. Virus and Worm attack:-

A program that has capability to infect other programs and make copies of itself and spread into other programs is called virus.

Programs that multiply like viruses but spread from computer to computer are called as worms.

d. E-mail & IRC related crimes:-

1. Email spoofing

Email spoofing refers to email that appears to have been originated from one source when it was actually sent from another source. Please Read

2. Email Spamming

Email “spamming” refers to sending email to thousands and thousands of users – similar to a chain letter.

3 Sending malicious codes through email

E-mails are used to send viruses, Trojans etc through emails as an attachment or by sending a link of website which on visiting downloads malicious code.

4. Email bombing

E-mail “bombing” is characterized by abusers repeatedly sending an identical email message to a particular address.

5. Sending threatening emails

6. Defamatory emails

7. Email frauds

8. IRC related

Three main ways to attack IRC are: “verbalâ⦣8218;?Ŧ#8220; attacks, clone attacks, and flood attacks.

e. Denial of Service attacks:-

Flooding a computer resource with more requests than it can handle. This causes the resource to crash thereby denying access of service to authorized users.

Our support will keep you aware of types of Cyber crimes while companies such as www.Lifelock.com can give you the right protection against them.

Examples include

attempts to “flood” a network, thereby preventing legitimate network traffic

attempts to disrupt connections between two machines, thereby preventing access to a service

attempts to prevent a particular individual from accessing a service

attempts to disrupt service to a specific system or person.

Introduction to Cyber Law of India (Part 2)

Distributed DOS

A distributed denial of service (DoS) attack is accomplished by using the Internet to break into computers and using them to attack a network.

Hundreds or thousands of computer systems across the Internet can be turned into “zombies” and used to attack another system or website.

Types of DOS

There are three basic types of attack:

a. Consumption of scarce, limited, or non-renewable resources like NW bandwith, RAM, CPU time. Even power, cool air, or water can affect.

b. Destruction or Alteration of Configuration Information

c. Physical Destruction or Alteration of Network Components

e. Pornography:-

The literal mining of the term ‘Pornography’ is “describing or showing sexual acts in order to cause sexual excitement through books, films, etc.”

This would include pornographic websites; pornographic material produced using computers and use of internet to download and transmit pornographic videos, pictures, photos, writings etc.

Adult entertainment is largest industry on internet.There are more than 420 million individual pornographic webpages today.

Research shows that 50% of the web-sites containing potentially illegal contents relating to child abuse were ‘Pay-Per-View’. This indicates that abusive images of children over Internet have been highly commercialized.

Pornography delivered over mobile phones is now a burgeoning business, “driven by the increase in sophisticated services that deliver video clips and streaming video, in addition to text and images.”

Effects of Pornography

Research has shown that pornography and its messages are involved in shaping attitudes and encouraging behavior that can harm individual users and their families.

Pornography is often viewed in secret, which creates deception within marriages that can lead to divorce in some cases.

In addition, pornography promotes the allure of adultery, prostitution and unreal expectations that can result in dangerous promiscuous behavior.

Some of the common, but false messages sent by sexualized culture.

Sex with anyone, under any circumstances, any way it is desired, is beneficial and does not have negative consequences.

Women have one value – to meet the sexual demands of men.

Marriage and children are obstacles to sexual fulfillment.

Everyone is involved in promiscuous sexual activity, infidelity and premarital sex.

Pornography Addiction

Dr. Victor Cline, an expert on Sexual Addiction, found that there is a four-step progression among many who consume pornography.

1.Addiction: Pornography provides a powerful sexual stimulant or aphrodisiac effect, followed by sexual release, most often through

masturbation.

2.Escalation: Over time addicts require more explicit and deviant material to meet their sexual “needs.”

3.Desensitization: What was first perceived as gross, shocking and disturbing, in time becomes common and acceptable.

4.Acting out sexually: There is an increasing tendency to act out behaviors viewed in pornography.

g. Forgery:-

Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers and scanners.

Also impersonate another person is considered forgery.

h. IPR Violations:-

These include software piracy, copyright infringement, trademarks violations, theft of computer source code, patent violations. etc.

Cyber Squatting- Domain names are also trademarks and protected by ICANN’s domain dispute resolution policy and also under trademark laws.

Cyber Squatters registers domain name identical to popular service provider’s domain so as to attract their users and get benefit from it.

i. Cyber Terrorism:-

Targeted attacks on military installations, power plants, air traffic control, banks, trail traffic control, telecommunication networks are the most likely targets. Others like police, medical, fire and rescue systems etc.

Cyberterrorism is an attractive option for modern terrorists for several reasons.

1.It is cheaper than traditional terrorist methods.

2.Cyberterrorism is more anonymous than traditional terrorist methods.

3.The variety and number of targets are enormous.

4.Cyberterrorism can be conducted remotely, a feature that isespecially appealing to terrorists.

5.Cyberterrorism has the potential to affect directly a larger number of people.

j. Banking/Credit card Related crimes:-

In the corporate world, Internet hackers are continually looking for opportunities to compromise a company’s security in order to gain access to confidential banking and financial information.

Use of stolen card information or fake credit/debit cards are common.

Bank employee can grab money using programs to deduce small amount of money from all customer accounts and adding it to own account also called as salami.

k. E-commerce/ Investment Frauds:-

Sales and Investment frauds. An offering that uses false or fraudulent claims to solicit investments or loans, or that provides for the purchase, use, or trade of forged or counterfeit securities.

Merchandise or services that were purchased or contracted by individuals online are never delivered.

The fraud attributable to the misrepresentation of a product advertised for sale through an Internet auction site or the non-delivery of products purchased through an Internet auction site.

Investors are enticed to invest in this fraudulent scheme by the promises of abnormally high profits.

l. Sale of illegal articles:-

This would include trade of narcotics, weapons and wildlife etc., by posting information on websites, auction websites, and bulletin boards or simply by using email communication.

Research shows that number of people employed in this criminal area. Daily peoples receiving so many emails with offer of banned or illegal products for sale.

m. Online gambling:-

There are millions of websites hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering.

n. Defamation: -

Defamation can be understood as the intentional infringement of another person’s right to his good name.

Cyber Defamation occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a website or sends e-mails containing defamatory information to all of that person’s friends. Information posted to a bulletin board can be accessed by anyone. This means that anyone can place

Cyber defamation is also called as Cyber smearing.

Cyber Stacking:-

Cyber stalking involves following a persons movements across the Internet by posting messages (sometimes threatening) on the bulletin boards frequented by the victim, entering the chat-rooms frequented by the victim, constantly bombarding the victim with emails etc.

In general, the harasser intends to cause emotional distress and has no legitimate purpose to his communications.

p. Pedophiles:-

Also there are persons who intentionally prey upon children. Specially with a teen they will let the teen know that fully understand the feelings towards adult and in particular teen parents.

They earns teens trust and gradually seduce them into sexual or indecent acts.

Pedophiles lure the children by distributing pornographic material, then they try to meet them for sex or to take their nude photographs including their engagement in sexual positions.

q. Identity Theft :-

Identity theft is the fastest growing crime in countries like America.

Identity theft occurs when someone appropriates another’s personal information without their knowledge to commit theft or fraud.

Identity theft is a vehicle for perpetrating other types of fraud schemes.

r. Data diddling:-

Data diddling involves changing data prior or during input into a computer.

In other words, information is changed from the way it should be entered by a person typing in the data, a virus that changes data, the programmer of the database or application, or anyone else involved in the process of having information stored in a computer file.

It also include automatic changing the financial information for some time before processing and then restoring original information.

s. Theft of Internet Hours:-

Unauthorized use of Internet hours paid for by another person.

By gaining access to an organisation’s telephone switchboard (PBX) individuals or criminal organizations can obtain access to dial-in/dial-out circuits and then make their own calls or sell call time to third parties.

Additional forms of service theft include capturing ‘calling card’ details and on-selling calls charged to the calling card account, and counterfeiting or illicit reprogramming of stored value telephone cards.

t. Theft of computer system (Hardware):-

This type of offence involves the theft of a computer, some part(s) of a computer or a peripheral attached to the computer.

u. Physically damaging a computer system:-

Physically damaging a computer or its peripheralseither by shock, fire or excess electric supply etc.

v. Breach of Privacy and Confidentiality

Privacy

Privacy refers to the right of an individual/s to determine when, how and to what extent his or her personal data will be shared with others.

Breach of privacy means unauthorized use or distribution or disclosure of personal information like medical records, sexual preferences, financial status etc.

Confidentiality

It means non disclosure of information to unauthorized or unwanted persons.

In addition to Personal information some other type of information which useful for business and leakage of such information to other persons may cause damage to business or person, such information should be protected.

Generally for protecting secrecy of such information, parties while sharing information forms an agreement about he procedure of handling of information and to not to disclose such information to third parties or use it in such a way that it will be disclosed to third parties.

Many times party or their employees leak such valuable information for monitory gains and causes breach of contract of confidentiality.

Special techniques such as Social Engineering are commonly used to obtain confidential information.