We’re improving the Android and iOS experiences for Google Docs users with two new features. These were previously available on the web, and are now available on mobile as well:
Link previews, which help you get context from linked content without bouncing between apps and screens.
Smart Compose, which helps you write faster and with more confidence.
Who’s impacted
End users
Why it’s important
Together, these features will help make it easier and quicker not only to read and review content on mobile devices, but also to create and collaborate on content, wherever you are.
Additional details
Link previews
Linked content can enrich documents with useful information, but if clicking a link means opening another window, that can be distracting and disrupt your reading flow.
Earlier this year, we launched link previews on the web. Now, we’re adding link previews to mobile as well. When you click on a link in Docs, dynamic information about the content will appear. This may include the title, description, and thumbnail images from public web pages, or the owner and latest activity for linked Drive files. This can help you decide whether to open linked content while staying in-context.
Preview links in Google Docs on the web
Preview links in Google Docs on mobile devices
Smart Compose
Getting started
Admins: These features will be ON by default. There are no admin controls for them.
End users:
Link previews: This feature will be on by default. There is no setting to control the feature.
Smart Compose: This feature may be on or off depending on whether you have turned it on or off on the web. When enabled, you’ll automatically see suggestions; swipe right to accept a suggestion. Visit the Help Center to learn more about using Smart Compose in Google Docs.
Rollout pace
Link previews in Docs, iOS and Web
Link previews in Docs, Android
Smart Compose in Docs, iOS
Smart Compose in Docs, Android
Availability
Link previews in Docs: Available to all G Suite customers and users with personal accounts.
Smart Compose in Docs: Available to all G Suite customers. Not available to users with personal accounts.
We’re improving the mobile viewing experience for Google Slides on Android. Rather than swiping to view slides one by one, you can now:
Scroll through a vertical stream of slides.
Pinch to zoom to get a closer look.
Easily switch to editing, presenting, or casting content.
Getting started
Admins: There is no admin control for this feature.
End users: To use the feature, open a presentation in the Slides app on Android. Visit our Help Center to learn more about how to use Google Slides on Android.
Rollout pace
Availability
Available to all G Suite customers and users with personal accounts.
Hiring a new employee is a significant investment for a company. The hope is they’ll be with the organization for a long time and continuously deliver great work that positively impacts the business.
Unfortunately, there are times when you hire someone and they turn out not to be a good fit for your organization. In the best-case scenario, you would quickly realize the situation for what it is, let the person go, and they could move on to a role that is better suited for them. In the worst case scenario, they could struggle for a long while to do the job, causing both you and them frustration. This lowers workplace morale and hinders your company’s productivity. In the end, you’re still left having to let a person go and find another candidate for the role.
You can lower the chances of making a bad hire by conducting background checks before you make employment offers to candidates. It will reveal any details the person may have hid or been dishonest about during the interview process.
It’s essential to hire honest people, but why else are pre-employment background checks necessary? Let’s explore the advantages:
Verify the candidate is qualified – Some people, unfortunately, embellish their work history or education when job searching. You could end up hiring someone unqualified if you fail to check their background.
Perform a character check – Even if someone only slightly exaggerates their experience, it’s a sign of dishonesty. Ensure your company only hires moral people by verifying an applicant’s resume is 100% accurate.
Keep your workplace safe – The importance of protecting your employees, customers, and company goes without saying. Background checks save you from hiring dangerous individuals.
Reduce your company’s liability – Your company can decrease insurance costs and avoid needless lawsuits by only hiring people who clear your pre-employment screenings.
Avoid bad hires – Hiring the wrong person is costly and frustrating. Making the small effort to conduct a background check before you hire someone could prevent major problems from occurring later.
Work with a background check provider like HireRight.
Partnering with a background check provider is the key to successfully and efficiently conducting pre-employment screenings. It’s difficult for employers to collect information from all the essential sources, but numerous federal and state laws must be followed.
HireRight is a background check provider that integrates with Zoho Recruit. They provide more than 100 background screening services across more than 200 countries and territories. Additionally, HireRight offers other advantages, such as:
Data with integrity – HireRight’s background screening proficiency and extensive verification processes mean customers can feel comfortable working with accurate, meaningful results.
Accuracy – Artificial intelligence and machine learning technologies ensure accurate information on candidates. HireRight’s dispute rates are lower than the industry average.
Fast turnaround times – To help customers make decisions even faster, HireRight delivers quality-checked, real-time results, accelerates communications between third parties, and leverages mobile-first technology to speed up the time to hire.
“HireRight’s integration with Zoho provides another option for recruiters who are looking for solutions that will help manage the recruiting and hiring process from beginning to end,” said Jim Daxner, Chief Product Officer at HireRight. “We believe both Zoho and HireRight’s customers will truly benefit from this new partnership and look forward to continuing to work together to offer a streamlined and efficient process for finding qualified candidates.”
The Zoho Recruit integration with HireRight allows users to order background screening services from HireRight directly from within their Zoho Recruit account.
As we continue to navigate the COVID-19 pandemic and its aftermath, organizations are looking to reopen their workplaces and prepare for returning employees. But with no long-term solution to the coronavirus in sight, businesses across the globe are struggling.
To get back on track, organizations will be forced to spend a lot of time and effort on ensuring compliance and safety, instead of on their core business strengths. True to our vision at Zoho, we’ve created a comprehensive application to help businesses make this transition. Zoho BackToWork enables organizations to return to the workplace safely and securely.
What should organizations ensure before getting back to office?
For many organizations, getting back to normal operations means going back to a physical office or site—whether with all employees or a small percentage of their workforce. However, doing this without a system in place to ensure the safety of employees, customers, and other stakeholders can turn into a disaster. There are four important aspects to successfully going back to the office:
Ensuring employee safety
Publishing compliance guidelines
Effectively communicating
Managing assets and facilities
Major challenges to reopening
Employee safety: To ensure regular self assessments, contact tracing, touchless entry, and availability of necessary equipment and safety gear
Compliance: Adhering to government guidelines and drafting company policies accordingly
Responsiveness: A detailed plan of action, to respond to new cases if/when they occur—like sanitizing floors and quarantining employees who came in contact with infected individuals
A framework for safe operations
Digital transformation is needed to ensure safe, sustained business operations. BackToWork comes with six prebuilt modules that cover all aspects of concern an organization will have when returning to the workplace:
BackToWork is a ready-to-use app that focuses on workforce readiness:
Admin control center module – Welcome your staff back to a safer office space. This dashboard empowers top-level management to assess the preparedness of facilities better, and view individual employee health statuses.
Wellness module – Provide industry-approved surveys. This dashboard lets you circulate and collect self-assessment and contact-tracing forms, and oversee organization-wide health information.
Safe entry module – Determine which employees are ready to work from the office. With this module, perform employee self-assessments, segregate high-risk groups, and evaluate entry requests from employees and visitors.
Employee self-service module – On this dashboard, you can manage asset requests, ranging from office supplies to sanitizer to office space maintenance.
Communications module – Correspond with staff over the phone and the web, and share guidelines, best practices, frameworks, and announcements in a coordinated manner.
Volunteer module – Give back to the community. This module allows organizations to recruit employees, and organize and execute volunteer drives.
Ease of use is a core element of BackToWork
Organizations can deploy with a one-step onboarding process after signing up. Post-deployment, the admin can add employees by importing or uploading from an existing employee list, or by pulling data via easy integrations with Zoho People, Active Directory, Zoho Directory, and BambooHR.
After completion, employees can access the application on the web, and from iPhone and Android devices. The application is practical and feature-rich, to tackle the situation at hand. To ensure a seamless transition, BackToWork allows you to:
Dynamically control the number of employees and visitors that a building can accommodate
Decide how frequently self-assessment needs to be done, regardless of whether employees are visiting the workplace or not
Mandate employees to fill in self-assessments every day they visit the office
Restrict the number of employees who commute to the office via public transportation and/or carpooling, or who have a recent travel history
Customize the cool-off period for an employee who’s recently recovered from COVID-19
Control the approval process for asset and maintenance requests
Overall, there’s little to no learning curve, and we provide detailed step-by-step documentation from both the employer and employee perspective to make adoption seamless.
Furthermore, Zoho BackToWork is available in multiple languages. The app is scalable and modular, so it can be customized based on business needs, as the underlying low-code platform, Zoho Creator, supports app localization in 62 languages, custom workflows, AI, third-party integrations, portals, and much more.
Pricing and availability
As part of Zoho’s ongoing effort to support businesses during these uncertain times, BackToWork will be offered free of charge until the end of 2020. After that period, it will cost $2 USD/user/month for all regions.
The journey so far has been no small feat, and returning to work won’t be, either. It’s time to future-proof your workplace. To learn more, reach out to us at [email protected].
If you’re an admin or even a user, you’ve probably had to perform lookup operations at some point. These might range from DNS lookup operations to simple IP lookups or port checks. Wouldn’t it be nice to find all these options in one place instead of having to switch between multiple services? Good news: we at Zoho Mail built the Toolkit to help you with just that.
Toolkit is a completely free, comprehensive service that can be used to troubleshoot or solve email-related issues, such as retrieving domain information, looking up registry details, performing port and IP checks, and running DNS record checks. Better still, Toolkit can be used by anybody on the internet, not just Zoho account holders.
How can I use Toolkit?
Toolkit has something for everyone! Here’s how you can make the most of it for your organization or even for yourself.
Look up domain details Toolkit offers several domain-related lookup options. Just by entering the name of any domain, you can view all DNS records associated with it. You can even check whether the basic domain configurations that ensure security and email deliverability—such as MX, SPF, and DKIM—have been done. You can also view registry details and other information like renewal date using Toolkit.
Analyze message headers While some email solutions like Zoho Mail provide built-in header analyzers, some do not. But if you get an email that you think is suspicious, don’t worry. Once you provide the header details of an email, Toolkit can give you the exact information you need to verify its authenticity.
Perform IP-based lookups If you want to find out if there is a domain hosted from a specific IP address, Toolkit’s reverse lookup tool can help. Enter the relevant IP address and Toolkit will find any associated domains.
Check for open ports and encode/decode URLs Look for any open ports for a specific host using the Port Check option. You can encode or decode URLs or text to ensure it’s encrypted before sending it out. Pick from the available encode or decode options, and you’re all set to go!
These are just some of the options Toolkit provides to simplify email-related troubleshooting.
While we keep working to enrich Toolkit with more features, start using Toolkit from here and find all the necessary instructions on the Toolkit help page. Do leave your feedback and suggestions as comments below!
Access checker is a feature in Gmail and Google Chat that ensures the recipients of a Drive file have permission to access it. We’re now expanding Access checker to Google Slides, to make sure that anyone who is viewing or presenting a Slides presentation can play embedded videos and audio files.
When you insert a video or audio file that is stored in Drive into Slides, Access checker will automatically look to see if the people who have access to the presentation also have access to the audio or video file you just inserted. If they don’t, Access checker will suggest changing the permissions for the audio or video file so that all viewers, commenters, editors, and owners of the presentation will be able to see and hear its content.
We are also working toward launching functionality in the future that will perform an access check for all Drive video and audio files in the presentation after you share the presentation with additional users. At that point, we may suggest permission changes for multiple files used in the presentation. We will post any updates about this in-progress feature on the G Suite Updates Blog.
Who’s impacted
End users
Why it’s important
When a user can’t play videos and audio files within a presentation, it can be disruptive. When presenting, it can be an awkward or negative experience for the presenter. However, manually checking that permissions are correct before presenting or distributing a presentation is time-consuming. By adding Access checker to Google Slides, we’re making it easier to ensure all viewers of the presentation will get a complete experience.
Getting started
Rollout pace
Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on August 4, 2020
Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on August 26, 2020
Availability
Available to all G Suite customers and users with personal accounts.
Over the past few months, employees all over the globe have been forced to adapt to working remotely. This has given rise to a huge challenge: finding a suitable replacement for the interactions that we’d normally have in a workplace. Communication is far easier when you’re having a face-to-face conversation. However, there’s always the next best thing—online meetings.
Apart from their conventional uses, online meeting tools are being adapted for different purposes around the world. Teachers are using them to conduct online classes for their students, doctors are delivering care to their patients with telehealth visits, actors are performing plays for their digital audience, and organizational leaders are holding virtual townhalls to address their employees.
Don’t cancel interactions, just take them online
Whether you want to stay connected with your team’s progress with weekly update meetings, start a conversation with a prospect, or even hold a virtual event, you can do it all by simply connecting your online meeting tools with Zoho CRM.
In addition to Zoho Meeting, here’s a list of third-party online meeting tools that Zoho CRM seamlessly integrates with:
Add efficiency to every stage of your online meeting
Before
Schedule online meetings right from Zoho CRM
Connect quickly with your leads and contacts through automatic invites and instant-meeting links
Receive automatic reminders leading up to the online meeting
During
Launch online meetings directly from Zoho CRM or even the reminders you receive
Track participant engagement with activity tracking and attendance data
After
Share meeting recordings with participants easily
Receive comprehensive post-meeting statistics that can help optimize your meeting effectiveness
Automatically update meeting information in the Events module
The benefits don’t end there! Zoho CRM also integrates with e-signature apps, chat systems, and other tools that can help you easily collaborate with both your team and clients when working remotely.
We’re back with more Notebook updates. From our most requested feature to exciting bug fixes, we’re excited to tell you about what’s been implemented and updated.
Create tables
One of the most requested functionalities for Notebook is the ability to create tables in Text Cards, and we’re happy to say you can now find the option to create a table in the editor toolbar across all platforms. While creating a table in a text card is currently only possible in the Notebook mobile app, you can perform these actions on the desktop and web apps:
Remove formatting
We don’t always want to import formatting to our Text Cards. Different websites have different styles, so when we copy and paste content into Notebook, we often end up pasting the formatting. You can now remove previous formatting from any copied content before you paste into a Text Card. Your preference will be stored in the app settings and you can change it anytime. You can also entirely remove a Text Card’s formatting to make it plain text.
Merge note cards
Have you ever had related notes spread across multiple note cards? Have you ever pasted the content of a note into another to make it a single note card? Notebook now makes it easier to merge note cards into one. Please note, only similar note cards can be merged at this time. For example, you can only merge a Text Card with other Text Cards.
Export data
Your data is always yours. You can now export your Notebook data at any time and back it up in any place of your choice. Users who use Notebook without a Zoho account can multi-select note cards and notebooks and export all as a ZIP file. Zoho users can request to download the entirety of their Notebook data, either in HTML or ZNote format. You will receive an email with a download link once the export is completed. You can import these files again using the Notebook app.
Reset passcode
Notebook is where many of us write important notes as well, and Notebook allows us to lock certain notes to secure them. Until now, only Zoho account users could reset their passcode if forgotten. Now, users without a Zoho account can also reset their passcode. Going forward, the Notebook app will ask you to set up a few security questions when you first set a passcode. You can answer those questions any time to reset your passcode.
Sort and filter
In addition to setting your preference to sort your note cards and notebooks, you can now set this preference at the individual view level. This means you can now have different sort preferences for your notebooks and note cards. Search and other views will still have your note cards sorted based on your last modification.
You can now apply filters to all note cards and notebooks to find the required note card or notebook easily. You can also apply filters additionally to the search term to narrow down your search results.
Sign in using WeChat
For all users in China, creating an account in Zoho is much easier now. Notebook now supports the option to sign in using WeChat. You can use this option on mobile apps to create a confirmed account with Zoho with a click.
Platform Updates:
Notebook for iOS
For all Apple users, Notebook is now compatible with the new iPad Pro. You can use the trackpad to navigate in the app and use keyboard shortcuts to work on the app. You can refer this help guide to learn more in detail about the trackpad features and keyboard shortcuts.
Apple users can use the “Sign In With Apple” option to create an account and sync notes across devices. You can either choose to share your email or not using this option.
The Undo and Re-do tools are now placed in the Text Card editor toolbar for easy access. You can use these tools with Apple’s accessibility technology, “Shake to Undo.”
Notebook for Android
We’ve added a new shortcut, “Add Note to Notification tray.” You can use this shortcut to pin a note to the notification bar to quickly access it again. We’ve also redesigned the push notification view. Now, you’ll never miss reminders and important announcements from the product.
Notebook for Mac
Notebook for Mac added window support in recent updates. Now, you can open a note card in a separate window and write without distractions.
Share files to Notebook Mac app from anywhere on your Mac. Right-click on the file you would like to share, click ‘Share’ action to see Notebook listed as an option.
Choose from a variety of fonts installed on your device to use it in Notebook. If you’d like to use a font in Notebook, download and install that font on your device and set it as the “Editor Font” in your Notebook preferences.
Bookmark Cards now open inside the app. You can tap the Safari icon any time to open a Bookmark Card in the browser. Copy and pasting a multi-line checklist will create individual items in Notebook for Mac.
We hope you find these features and enhancements in Notebook helpful in increasing your productivity! Feel free to leave your feedback in the comments below or write to us at [email protected].
Whenever we work with ransomware victims, we spend some time looking back through our telemetry records that span the previous week or two. These records sometimes include behavioral anomalies that (on their own) may not be inherently malicious, but in the context of an attack that has already taken place, could be taken as an early indicator of a threat actor conducting operations on the victim’s network.
If we see any of these five indicators, in particular, we jump on them straight away. Any of these found during an investigation is almost certainly an indication that attackers have poked around: to get an idea of what the network looks like, and to learn how they can get the accounts and access they need to launch a ransomware attack.
Attackers use legitimate admin tools to set the stage for ransomware attacks. Without knowing what tools administrators normally use on their machines, one could easily overlook this data. In hindsight, these five indicators represent investigative red flags.
A network scanner, especially on a server.
Attackers typically start by gaining access to one machine where they search for information: is this a Mac or Windows, what’s the domain and company name, what kind of admin rights does the computer have, and more. Next, attackers will want to know what else is on the network and what can they access. The easiest way to determine this is to scan the network. If a network scanner, such as AngryIP or Advanced Port Scanner, is detected, question admin staff. If no one cops to using the scanner, it is time to investigate.
A network scanner found among a repository of tools used by Netwalker ransomware
Tools for disabling antivirus software.
Once attackers have admin rights, they will often try to disable security software using applications created to assist with the forced removal of software, such as Process Hacker, IOBit Uninstaller, GMER, and PC Hunter. These types of commercial tools are legitimate, but in the wrong hands, security teams and admins need to question why they have suddenly appeared.
Any detection of MimiKatz anywhere should be investigated. If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft. Attackers also use Microsoft Process Explorer, included in Windows Sysinternals, a legitimate tool that can dump LSASS.exe from memory, creating a .dmp file. They can then take this to their own environment and use MimiKatz to safely extract user names and passwords on their own test machine.
Mimikatz and related PowerShell scripts used to launch it, found among a repository of tools used by the Netwalker ransomware threat actors
Patterns of suspicious behavior
Any detection happening at the same time every day, or in a repeating pattern is often an indication that something else is going on, even if malicious files have been detected and removed. Security teams should ask “why is it coming back?” Incident responders know it normally means that something else malicious has been occurring that hasn’t (as of yet) been identified.
Occasionally, attackers deploy small test attacks on a few computers in order to see if the deployment method and ransomware executes successfully, or if security software stops it. If the security tools stop the attack, they change their tactics and try again. This will show their hand, and attackers will know their time is now limited. It is often a matter of hours before a much larger attack is launched.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
Ransomware attacker tactics have shifted – sometimes drastically – over the past ten months. In order to evade detection by increasingly effective endpoint security, nearly every attack involves a live engagement on the part of one or more attackers, who first surveil and inventory the target’s network and then focus their attention on shutting down or disabling various protective layers. These interactive sessions have become de rigeur in virtually all successful attacks against well-defended targets.
Over the same time period, the average ransom demand amounts also increased, and criminals expanded their attack portfolio to include the theft of highly sensitive information stolen from the target’s network, usually done at an early phase of the attack. This increases the chances a target would pay a ransom even if they have perfect backups and could restore from those backups immediately.
These two factors – the need to evade detection, and the need to strengthen the criminal’s hand in ransom negotiations – have been the dominant factors driving the most dramatic behavior changes, some of which we’ll discuss in this article. They also indicate the increasingly strenuous degree of effort it now requires to pull off a successful attack, a positive sign that the work defenders do has measurable effect on the attackers’ workloads.
What follows are an unscientifically chosen list of some of those escalations we found most interesting. We think these indicate a level of frustration on the part of the ransomware criminals at their inability to terminate or disable these security controls.
Unsafe Mode
In the fall of 2019, a ransomware named Snatch began doing something we don’t normally see happen during ransomware attacks: The infected computers rebooted into Windows Safe Mode, then began encrypting their hard drive.
The trick with Safe Mode in Windows is that it is designed to run with a minimal set of drivers and programs running in order to troubleshoot software problems. Booting into Safe Mode can inhibit endpoint protection, as that protection normally isn’t operational in Safe Mode.
There are certain situations where a PC needs a specific driver or file to run, even during Safe Mode, in order to do something critical (for example, have a working display). Snatch unexpectedly took advantage of this intentional feature of Safe Mode. During its infection process, the malware sets the registry keys that need to be there in order to run a particular file in Safe Mode. It plants its payload (the encrypting component), points the registry keys at it, and reboots the machine.
When the computer comes back up in Safe Mode, with the endpoint protection not loaded, the ransomware can launch its encrpytion payload and proceed to seal up key files on the hard drive unimpeded.
Abusing Exploitable Drivers
Retrospective analysis of attacks by a ransomware known as Robbinhood revealed that the attackers installed an otherwise benign third-party device driver in order to leverage a vulnerability in that driver. The vulnerable driver provided a stepping stone to the rest of the attack.
In the case of the attacks we analyzed, the attackers behind Robbinhood loaded a long-disused motherboard driver digitally signed by Gigabyte, the hardware manufacturer. Recent updates to Windows 10 mean that only these kinds of digitally signed drivers can run under normal circumstances.
The attackers use the Gigabyte driver, ironically, to turn off this feature in Windows that prevents the installation of hardware drivers that haven’t been cryptographically signed. Gigabyte withdrew the driver from the public several years ago and replaced it with newer software that isn’t vulnerable to the same types of abuse. But the Robbinhood operators found a copy and used it anyway.
RobbinHood’s code included a “SuperKillFile” command aimed at shutting down a wide variety of security products
Once RobbinHood disables this Driver Signature Enforcement feature, the attackers then deliver yet another driver (this one unsigned) to the infected computer. The malware uses this second driver to load itself at an operational level low enough that, the attackers believed, they were able to make an end-run around endpoint protection tools. Using the cover of this driver, the Robbinhood attackers attempted to either terminate or hobble a large number of files and processes associated with a wide variety of security software.
All this effort took place before the ransomware begins encrypting files on the computer.
Extortion becomes an important secondary revenue stream
Several ransomware gangs have begun to leverage their presence on an enterprise network to steal sensitive corporate data at an early stage of the attack. Later, the attackers extort the victims with the threat of releasing of this stolen information to the public. Maze, REvil/sodinokibi, and Lockbit ransomware all engage in this secondary method of victimizing their targets.
As novel ransomware tends to appear at a regular pace, we’ve observed that most ransomware creators who launch a new ransomware family go through a similar set of growth stages over the first 6-9 months of operation, slowly escalating the feature set to incorporate a variety of techniques the attackers use to establish their persistence and move undetected within the network. Extortion is just the latest additional behavior we see from the more mature ransomware families.
Lockbit further thwarts analysis by not only deleting its own executable binaries, but also overwriting the space occupied by those files on the hard drive so they aren’t recoverable using data recovery software. It also had a long list of software it tries to terminate, including some programs with no security function: The malware simply wanted to make sure these programs were closed so any open documents could be overwritten more effectively during the encryption phase.
A segment of Lockbit ransomware’s code that attempts to kill security tools
When in doubt, bring your own computer
One ransomware evasion technique that really stood out was attempted by Ragnar Locker: The malware could not perform its encryption while Intercept X was loaded, so the attackers built a headless Windows image for a VirtualBox hypervisor, and put the VM on every box they wanted to attack.
It was a devious ploy, since it appeared that any actions taken by the ransomware running inside the guest operating system had been taken by the process running the hypervisor. Since this is a trusted application, endpoint protection didn’t immediately kick in when the attackers executed all their commands from inside the VM guest.
The virtual machine was comparatively huge, with an installer of more than 122MB, given that ransomware binaries aren’t usually more than a few MB in size. This was a real chonk. The attackers bundled an installer for an old copy of VirtualBox and the guest operating system disk image into an MSI file then tried to download a copy and launch it on every infected endpoint.
Only when the virtual environment was set up did the malware begin attempting to prepare its environment and then begin encrypting the hard drive. Initially, it appeared that the trusted VirtualBox process was the origin of the ransomware’s file encrypting behavior on the host computer, which was confusing for a number of reasons.
An increasing use of open source or public tools (and a growing library of exploits)
Discovering the malware repository used by the attackers behind the Netwalker ransomware gave us a lot of insight into the planning and technique required to carry out an attack. One thing it revealed was just how many free or open source tools the attackers needed to use throughout the attack.
The attackers’ library contained a comprehensive set of tools used to perform reconnaissance on targeted networks; privilege-elevation and other exploits against Windows computers; and utilities that can steal, sniff, or brute-force their way to valuable information (including Mimikatz, and variants called Mimidogz and Mimikittenz, designed around avoiding detection by endpoint security) from a machine or network.
We also found a nearly complete set of the Microsoft SysInternals PsTools package, a copy of NLBrute (which attempts to brute-force passwords), installers for the commercial TeamViewer and AnyDesk remote support tools, and a number of utilities created by endpoint security vendors that are designed to remove their (and other companies’) endpoint security and antivirus tools from a computer.
Once inside the network of their target, the attackers apparently use the SoftPerfect Network Scanner to identify and create target lists of computers with open SMB ports, and subsequently may have used Mimikatz, Mimidogz, or Mimikittenz to obtain credentials.
The files we recovered also revealed their preferred collection of exploits. Among them, we found variations on the EternalDarkness SMBv3 exploit (CVE-2020-0796), a CVE-2019-1458 local privilege exploit against Windows, the CVE-2017-0213 Windows COM privilege escalation exploit published on the Google Security Github account, and the CVE-2015-1701 “RussianDoll” privilege escalation exploit.
What happens in memory stays in memory
This year’s outbreaks of the WastedLocker ransomware brought attention to this newcomer. The malware has already been implicated in some serious attacks, including against GPS device manufacturer Garmin, who reportedly paid a hefty ransom in order to re-enable business operations. WastedLocker has taken a different approach to the ransomware detection-evasion playbook by performing most of its malicious operations within volatile system memory. The technique is called memory mapped I/O.
This behavior has some benefits. With “traditional” ransomware, the malware’s behavior is observable because a binary executable makes a large number of file reads and writes as it encrypts the victim’s important data. Behavioral detection engines that look for this type of unusual activity would otherwise alert the user and/or halted the operation, limiting the damage. Because WastedLocker reduces the number of detectable reads and writes by a significant percentage, it may fall below the thresholds that govern suspicious activity in some behavioral detection rules.
In addition, WastedLocker takes advantage of an unintended consequence of how Windows manages memory, using a component called the Cache Manager. The Cache Manager is a kernel component that sits between the file system and the Memory Manager. The Memory Manager keeps an eye on memory that has been modified (known as “dirty pages”).
If a process encrypts the mapped memory, the Memory Manager knows which pages need to be written back to disk. This writing is done by the Cache Manager’s “Lazy Writer” component; Dirty pages are allowed to accumulate for a short time, and are then flushed to disk all at once, reducing the overall number of disk I/O operations.
As a secondary unintended consequence of this, the writing of the modified files from their “dirty pages” back to the filesystem is done in the context of the system (PID 4), rather than the ransomware process, which then further complicates behavioral detection. After all, nobody wants to cause a victim’s computer to crash because an antimalware utility decided that the operating system itself was harming the computer. This technique also can hamstring less well qualified behavioral detection.
Prevention is the best defense
With all of these innovations in such a short period of time, it’s not hard to see why ransomware has been going through a renaissance. At the root of many, if not most, ransomware infections is the core issue that plagues so many organizations: A lack of due diligence and effort made towards reducing the attack surface available to malware. We’ve summed up many of these in the related article Ransomware attacks from the victim’s perspective.
If you work in IT security, your organization is relying on you to close the most obvious loopholes and back doors into the network. Basic PC hygiene, including installing all the latest patches, shutting down Remote Desktop entirely (or putting it behind a VPN), and applying multifactor authentication to services hosting the most sensitive data in the organization are just some of these fundamental steps you can take to protect yourself and your network today. If endpoint protection tools are the metaphorical net below the High Wire Act, applying patches and shutting down unnecessary holes in the firewall are the daily practice routines that will keep you out of the net when it matters most.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
