New strain of Ransomware (WannaCry) affecting numerous PC’s across Europe

Please read the information below regarding a new strain of Ransomware (WannaCry) which has been affecting numerous PC’s and was the cause of the NHS computer shutdown yesterday.

On May 12, 2017 a new strain of the Ransom.CryptXXX (WannaCry) strain of ransomware began spreading widely impacting a large number of organizations, particularly in Europe. Wcry is demanding a ransom of $300 to $600 in Bitcoin to be paid by May 15, or, in the event that deadline is missed, a higher fee by May 19. The messages left on the screen say files will remain encrypted. It’s not yet clear if there are flaws in the encryption scheme that might allow the victims to restore the files without paying the ransom.

The initial attack vector has been email, through spam. These messages are typically fake invoices, job offers and other lures which are sent to random email addresses. Within the email is a .zip file and once clicked, that initiates the WannaCry infection.

Prevention

You should be extremely suspicious of all e-mails you receive, particularly those that ask the recipient to open attached documents or click on Web links.

Windows Updates

Please also make sure that all Windows updates are installed and up to date.

  • In Windows 10 click the start button and then settings (cog icon) and then press “Check for updates”
  • In Windows 7 go to Control Panel and select the Windows Update icon and then check for updates.

In both cases allow all critical updates to download and install.

If you are affected

If you are affected by this Ransomware you should immediately disconnect your PC from any network connections and contact Firecrest IT Ltd.

Gwent Now alert regarding phishing emails to University addresses

Gwent NowFraudsters are sending out a high number of phishing emails to university email addresses claiming to be from their own HR department. These email addresses are either spoofed or in some cases using compromised university email accounts.

The email claims that the recipient is entitled to a pay rise from their department and to click on a link to claim the pay rise.

This link then takes you to a spoofed university website telling you to enter to your personal details (including university login details and financial information). These financial details can then be used by criminals, and the login details are usually passed around and sold for future fraud campaigns.

It is advisable that all universities prompt all staff and students to change any password associated with their university email/IT accounts. Due to potential data breaches, it is recommended that universities discuss with the IT departments about issuing a mandatory password reset for all users.

Please also consider the following actions:

  • Don’t click on links or open any attachments you receive in unsolicited emails or SMS messages. Remember that fraudsters can ‘spoof’ an email address to make it look like one used by someone you trust. If you are unsure, check the email header to identify the true source of communication. Information on how to locate email headers can be found at https://mxtoolbox.com/Public/Content/EmailHeaders/
  • Use strong passwords which include a mixture of letters, numbers and special characters, and include both upper and lower case characters. Furthermore, it is encouraged that random words as opposed to passwords with personal meanings (e.g. children’s names)
  • Always install software updates as soon as they become available. Whether you are updating the operating system or an application, the update will often include fixes for critical security vulnerabilities.
  • If you think your bank details have been compromised, you should immediately contact your bank.
  • If you have been affected by this, or any other fraud, report it to Action Fraud by calling 0300 123 2040, or visiting www.actionfraud.police.uk.

Thanks to Gwent Now

Protect against the Locky virus

According to recent reports, massive volumes of JavaScript attachments are being spammed out that contain dangerous ransomware.

We recommend taking the following additional precautions to protect your install base:

  • Make sure your mail protection solution is blocking macro-enabled documents and .js scripts
  • Ensure that you have blocked user access to downloading Tor by blacklisting the following URL: www.torproject.org/download/download-easy.html (the Locky virus in particular relies on downloading and installing the Tor browser and some versions may use Tor to contact the command and control servers)
  • Block any items falling under the category of “proxy avoidance” or “anonymizers.”
  • Disable Java in client browsers.
  • And we suggest that access to the following IPs be completely blocked at the firewall:
    • 5.34.183.195
    • 51.254.19.227
    • 185.14.29.188
    • 31.184.197.119
    • 91.219.29.55

Learn more about the Locky virus here

HMRC Email scam

We have been tracking a new email scam which appears to emanate from HM Revenue & Customs. The email suggests that the recipient is due a tax refund and asks them to download a form that is attached to the email. The body of the email is similar to that shown below.

Please do not respond to this email in any way and do not download the form or provide any personal information. HMRC will never use this method to notify you of tax returns and although the sender address looks genuine it has been spoofed. If you have any concerns or would like to discuss this further please contact us.

From: HM Revenue & Customs [mailto:refund-tax@hmrc.gov.uk]
Subject: Submit Your Tax Refund Continue reading “HMRC Email scam”