LockBit ransomware borrows tricks to keep up with REvil and Maze – Sophos News

Ransomware operators are always on the lookout for a way to take their ransomware to the next level. That’s particularly true of the gang behind LockBit. Following the lead of the Maze and REvil ransomware crime rings, LockBit’s operators are now threatening to leak the data of their victims in order to extort payment. And the ransomware itself also includes a number of technical improvements that show LockBit’s developers are climbing the ransomware learning curve—and have developed an interesting technique to circumvent Windows’ User Account Control (UAC).

Because of recent dynamics in the ransomware world, we suspect that this privilege-escalation technique will pop up in other ransomware families in the future. We’ve seen a surge in “imposter” ransomware that are essentially rebranded variants of already-existing ransomware. Not a single day goes by where a new brand of ransomware does not come out. It has become surprisingly easy to clone ransomware and release it, with small modifications, under a different umbrella.

The Ransomware Learning Curve

Before we jump into the synopsis of LockBit, let’s take a moment to look at how ransomware is developed, in general. Many families follow a common timeline when it comes to the techniques and procedures ransomware developers implement at each stage. This appears to stem from the learning curve involved in creating ransomware, and the iteration of the malware as the developer builds his or her related knowledge of the malware craft.

Each ransomware seems to have an “infancy phase,” where the developer implements TTPs hastily just so the “product” can come out and start gaining its reputation. In this phase, the simplest ideas are implemented first, strings are usually plain text, the encryption is implemented in a way that only a single-thread is used, and LanguageID checks are in place to avoid encrypting computers in CIS countries. and avoid attracting unwanted attention from CIS law enforcement agencies.

After about 2 months into the ransomware operation, the developer starts implementing more sophisticated elements. They may introduce multi-threading, establish a presence in underground forums, obfuscate or encrypt strings in the binary, and there is usually a skip list/kill list for services and processes.

Around 4 months into the ransomware’s life, we start seeing things get more serious. The business model may now switch to Ransomware as a Service (RaaS), putting an Affiliate program in place. Oftentimes, binaries are cryptographically signed with valid, stolen certificates. There is a possibility that the ransomware developer starts implementing UAC bypasses at this stage. This appears to be the stage the LockBit group is entering.

Advertising the goods

As with most ransomware, LockBit maintains a forum topic on a well-known underground web board to promote their product. Ransomware operators maintain a forum presence mainly to advertise the ransomware, discuss customer inquiries and bugs, and to advertise an affiliate program through which other criminals can lease components of the ransomware code to build their own ransomware and infrastructure.

In January, LockBit’s operators created a new thread in the web board’s marketplace forum, announcing the “LockBit Cryptolocker Affiliate Program” and advertising the capabilities of their malware. The post claims that the new version had been in development since September of 2019, and emphasizes the performance of the encryptor and its lower use of system resources to prevent its detection.

A forum post announcing LockBit’s affiliate program.

LockBit’s post indicates that “we do not work in the CIS,” meaning that the ransomware will not target victims in Russia and other Commonwealth of Independent States countries. This comes as no surprise—as we have seen previously, CIS authorities don’t bother investigating these groups unless they are operating against targets in their area of jurisdiction.

That does not mean that the LockBit group won’t do business with other CIS-based gangs. In fact, they won’t work with English-speaking developers without a Russian-speaking “guarantor” to vouch for them.

Escalating the extortion

In this most recent evolution of LockBit, the malware now drops a ransom note that threatens to leak data the malware has stolen from victims: “!!! We also download huge amount of your private data, including finance information, clients personal info, network diagrams, passwords and so on. Don’t forget about GDPR.”

LockBit ransom note

If the threat were to be carried out, it might result in real-world sanctions against the ransomware victims from regulators or privacy authorities—for example, for violating the European Union’s General Data Privacy Rules (GDPR) that make companies responsible for securing sensitive customer data in their possession.

An increasing number of ransomware gangs use extortion that threatens the release of private data, which might include sensitive customer information, trade secrets, or embarrassing correspondence to incentivize victims to pay the ransom, even if they have backups that prevented data loss. The data leak threat has become a signature of the REvil and Maze ransomware gangs; the Maze group has gone as far as to publicly publish chunks of data from victims who fail to pay by the deadline, taking down the dumps when they are finally paid.

Picking through LockBit’s code

From a first glance at the recent LockBit sample with a reverse-engineering tool, we can tell that the program was written primarily in C++ with some additions made using Assembler. For example, a few anti-debug techniques employ the fs:30h function call to manually check the PEB (Process Environment Block) for the BeingDebugged flag, instead of using IsDebuggerPresent().

The first thing the ransomware does at execution is to check whether the sample was executed with any parameters added from the command line. Usually, this is done to check for whether the sample is being executed in a sandbox environment. Contemporary malware often requires that the command to run the malware use specific parameters to prevent the malware from being analyzed by an automated sandbox, which often execute samples without parameters. But the LockBit sample we examined doesn’t do that—it won’t execute if there is any parameter entered from the command line. If there are no arguments in the command that executes it, Lockbit hides its console output, where the malware prints debug messages, and proceeds to do its job.

The command-line parameter checker in LockBit halts the ransomware if there’s any parameter passed.

This could be intended to detect if the sample was executed in a sandbox environment. But it’s possible that either the malware author made a mistake in the implementation of the check (and wanted to check the other way around), or that this behavior is just a placeholder, and future versions will introduce different logic.

Hiding strings

LockBit’s author also used several techniques to make it more difficult to reconstruct the code behind it. The Portable Executable (PE) binary shows signs of being heavily optimized, as well as some efforts by the group to cover their coding tracks—or at least get rid of some of the low-hanging fruit that reverse engineering tools look for, such as unencrypted text strings.

Those heavy optimizations also increase LockBit’s performance. The binary makes heavy use of Intel’s SSE instruction set and architecture-specific features to boost its performance. That includes the use of multiple XMM registers used to store and decrypt the service names, process names and other strings used to interact with the operating system that are unique to the ransomware.

Xmmword registers store encrypted LockBit strings

These string variables get decrypted on the fly with a 1-byte XOR key unique to each string: the first hex byte of every variable.

Almost all the functions contain a small routine that loops around and is in charge of decrypting hidden strings. In this case, we can see that how the original MSSQLServerADHelper100 service name gets de-obfuscated: the malware leverages a one-byte “0A” XOR key to decrypt the plaintext service name.

Deobfuscating service names in the source

Check your privilege

To ensure that it can do the most damage possible, LockBit has a procedure to check whether its process has Administrator privileges. And if it doesn’t, it uses a technique that is growing in popularity among malware developers: a Windows User Account Control (UAC) bypass.

Leveraging OpenProcessToken, it queries the current process via a TOKEN_QUERY access mask. After that, it calls CreateWellKnownSid to create a user security identifier (SID) that matches the administrator group (WinBuiltinAdministratorsSid), so now the malware has a reference it can use for comparisons. Finally, it checks whether the current process privileges are sufficient for Administrator rights, with a call to CheckTokenMembership.

Checking Administrator SID against the current process’ SID

If the current process does not have Admin privileges, the ransomware tries to sidestep Windows UAC with a bypass. In order for that to succeed, a Windows COM object needs to auto-elevate to Admin-level access first.

To make this possible, LockBit calls a procedure called supMasqueradeProcess upon process initialization. Using supMasqueradeProcess allows LockBit to conceal its process’ information by injecting into a process running in a trusted directory. And what better target is there for that than explorer.exe?

The source code for the masquerade procedure can be found in a Github repository.

LockBit “masquerades” as explorer.exe

With the use of IDA Pro’s COM helper tool, we see two CLSIDs—globally unique identifiers that identify COM class object—that LockBit’s code references. CLSIDs, represented as 128-bit hexadecimal numbers within a pair of curly braces, are stored in the Registry path HKEY_LOCAL_MACHINESoftwareClassesCLSID.

CLSIDs recognized by IDA.

Looking up these reveals that the two CSLIDS belong to IColorDataProxy and ICMLuaUtil—both undocumented COM interfaces that are prone to UAC bypass.

CMSTPLUA {3E5FC7F9-9A51-4367-9063-A120244FBEC7} ..system32cmstplua.dll
Color Management {D2E7041B-2927-42fb-8E9F-7CE93B6DC937} ..system32colorui.dll


Masquerading as explorer.exe, LockBit calls CoInitializeEx to initialize the COM library, with COINIT_MULTITHREADED and COINIT_DISABLE_OLE1DDE flags to set the concurrency model. The hex values here (CLSIDs) are then moved and aligned into the stack segment register, and the next function call (lockbit.413980) will further use them.

UAC bypass step 1


UAC bypass step 2


Lockbit.413980 hosts the COM elevation moniker, which allows applications that are running under user account control (UAC) to activate COM classes (via the following format: Elevation:Administrator!new:{guid} ) with elevated privileges.

The malware adds the 2 previously seen CLSIDs to the moniker and executes them.

The COM Elevation Moniker in use.


Now, the privilege has been successfully elevated with the UAC bypass and the control flow is passed back to the ransomware. We also notice two events and a registry key change during the execution:

C:WINDOWSSysWOW64DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:WINDOWSSysWOW64DllHost.exe /Processid:{D2E7041B-2927-42fb-8E9F-7CE93B6DC937}
Key: SoftwareMicrosoftWindows NTCurrentVersionICMCalibration
Value: DisplayCalibrator

Kill or skip

LockBit enumerates the currently running processes and started services via the API calls CreateToolhelp32Snapshot, Process32First, Process32Next and finally OpenProcess, and compares the names against an internal service and process list. If one process matches with one on the list, LockBit will attempt to terminate it via TerminateProcess.

The procedure to kill a service is a bit different. The malware will first connect to the Service Control Manager via OpenSCManagerA. It then attempts to check whether a service from the list exists via OpenServiceA. If the targeted service is present, it then tries to determine its state by calling to QueryServiceStatusEx. Based on the status returned, it will call ControlService with the parameter SERVICE_CONTROL_STOP (0x00000001) on the specific service to stop it. But before that, another function (0x40F310) will cycle through all dependent services in conjunction with the target service, so dependencies are stopped too. The malware will initiate calls to EnumDependentServicesA to achieve this.

Hardcoded service names being checked against running services

The services that the malware tries to stop include anti-virus software (to avoid detection) and backup solution services. (Sophos is not affected by this attempt.) Other services are stopped because they might lock files on the disk, and might make it more difficult for the ransomware to easily acquire handles to files—stopping them improves LockBit’s effectiveness.

Some of the services of note that the ransomware attempts to stop, in the order they are coded into the ransomware, are:

DefWatch Symantec Defwatch
ccEvtMgr Norton AntiVirus Event Manager Service
ccSetMgr Symantec Common Client Settings Manager Service
SavRoam Symantec AntiVirus suite
RTVscan Symantec AntiVirus
QBFCService QuickBooks is an accounting software
QBIDPService QuickBooks for Windows by Intuit, Inc..
Intuit.QuickBooks.FCS QuickBooks for Windows by Intuit, Inc..
QBCFMonitorService QuickBooks for Windows by Intuit, Inc..
YooBackup Wooxo Backup
YooIT Wooxo Backup
zhudongfangyu 360 by Qihoo 360 Deep Scan
sophos Sophos
stc_raw_agent STC Raw Backup Agent
VSNAPVSS StorageCraft Volume Snapshot VSS Provider
VeeamTransportSvc Veeam Backup Transport Service
VeeamDeploymentService Veeam Deployment Service
VeeamNFSSvc Veeam Backup and Replication Service
veeam Veeam
PDVFSService Veritas Backup Exec PureDisk Filesystem
BackupExecVSSProvider Veritas Backup Exec VSS Provider
BackupExecAgentAccelerator Veritas Backup Exec Agent Accelerator
BackupExecAgentBrowser Veritas Backup Exec Agent Browser
BackupExecDiveciMediaService Veritas Backup Exec Media Service
BackupExecJobEngine Veritas Backup Exec Job Engine
BackupExecManagementService Veritas Backup Exec Management Service
BackupExecRPCService Veritas Backup Exec RPC Service
AcrSch2Svc Acronis Scheduler Service
AcronisAgent Acronis Agent
CASAD2DWebSvc Arcserve UDP Agent service
CAARCUpdateSvc Arcserve UDP Update service

In addition to the list of services to kill, LockBit also carries a list of things not to encrypt, including certain folders, specific files and files with certain extensions that are important to the operating system—since disabling the operating system would make it difficult for the victim to receive and act upon the ransom note. These are stored in obfuscated lists within the code (shown below), A function within LockBit uses the FindFirstFileExW and FindNextFileW API calls to read through the file names and folder names on the targeted disk, and then a simple lstrcmpiW function is called to compare the hardcoded list with those names.

This slideshow requires JavaScript.

Accelerating file encryption

Recently, we have seen ransomware groups taking more advanced concepts and applying it to their craft. One of these advanced concepts applied in LockBit is the use of Input/Output Completion Ports (IOCPs).

IOCPs are a model for creating a queue to efficient threads to process multiple asynchronous I/O requests. They allow processes to handle many concurrent asynchronous I/O more quickly and efficiently without having to create new threads each time they get an I/O request.

That capability makes them well-suited to ransomware. The sole purpose of ransomware is to encrypt as many delicate files as possible, rendering the user’s data useless. REvil (Sodinokibi) ransomware also uses IOCPs to achieve higher encryption performance.

LockBit’s aim was to be much faster than any other multi-threaded locker. The group behind the ransomware claims to have used the following methods to boost the performance of their file encryption:

  • Open files with the FILE_FLAG_NO_BUFFERING flag, write by sector size
  • Transfer work with files to Native API
  • Use asynchronous file I/O
  • Use I/O port completion
  • Pass control to the kernel yourself, google KiFastSystemCall

Once a file is marked for encryption—meaning, it did not match entries on the skip-list—a LockBit routine checks whether the file already has a .lockbit extension. If it does not, it encrypts the file and appends the .lockbit extension to the end of the filename.

Lockbit relies on LoadLibraryA and GetProcAddress to load bcrypt.dll and import the BCryptGenRandom function. If the malware successfully imports that DLL, it uses BCRYPT_USE_SYSTEM_PREFERRED_RNG which means use the system-preferred random number generator algorithm. If the malware was unsuccessful calling bcrypt.dll, it invokes CryptAcquireContextW and CryptGenRandom to invoke the Microsoft Base Cryptographic Provider v1.0 and generates 32 bytes of random data to use as a seed.

BCryptGenRandom in use

Also, at this stage, the hardcoded ransom note, Restore-My-Files.txt, gets de-obfuscated and the ransomware drops the .txt file in every directory that contains at least one encrypted file.

Victim ID

LockBit creates 2 registry keys with key blobs as values under the following registry hive: HKEY_CURRENT_USERSoftwareLockBit

The two registry keys are:


These registry keys correlate with the Victim ID, file markers, and the unique TOR URL ID that LockBit builds for each system it takes down.

Let’s take the unique TOR URL from the ransom note:

LockBit ransom note

In this example, the 16 byte long unique ID is at the end of the URL, http://lockbitks2tvnmwk[.]onion/?A0C155001DD0CB01AE0692717A2DB14A :

The file marker (0x10 long) is divided into 2 sections:


The first 8 bytes of the file marker and the first 8 bytes of the TOR unique URL ID.


The second 8 bytes are same for all encrypted files in a given run

Also, the value of the full registry key (0x500 long, starting as 1A443C7179498278B40DC082FCF8DE26… in this example) is also present in every encrypted file, just before the file marker.

LockBit registry keys (full and Public) that are related to the victim machine.

Share enumeration

For a successful ransomware hit and run, the goal is to encrypt as many files as possible. So naturally, LockBit scans for network shares and other attached drives with the help of the following API calls.

First, the malware enumerates the available drive letters with a call to GetLogicalDrives, then it cycles through the found drives and uses a call to GetDriveTypeW to determine whether the drive letters it finds are network shares by comparing the result with 0x4 (DRIVE_REMOTE).

Once it finds a networked drive, it calls WNetGetConnectionW to get the name of the share, then recursively enumerates all the folders and files on the share using the WNetOpenEnumW, WNetEnumResourceW API calls.

The ransomware can also enter network shares that might require user credentials. LockBit uses the WNetAddConnection2W API call with parameters lpUserName = 0 and lpPassword = 0, which (counterintuitively) transmits the username and password of the current, logged in user to connect to the given share. Then it can enumerate the share using the NetShareEnum API call.

Enumeration of attached, remote drives

Don’t quit just yet

I an attempt to ensure that LockBit would not be kept from finishing its job by a system shutdown, the developers of this ransomware implemented a small routine that uses a call to ShutdownBlockReasonCreate.

The developers didn’t try to conceal the ransomware as the cause of the shutdown block: the ransomware sets the message for blocking shutdown as LockBit Ransom. Computer users would also see the message LockBit Ransom under the process’ name.

SetProcessShutdownParameters is also called to set the shutdown order level of the ransomware’s process to 0, the lowest level, so that the ransomware’s parent process will be active as long as it can, before a shutdown terminates the process.

If the system is shut down, the malware also has capability to persist after a reboot. LockBit creates a registry key to restart itself under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun, called XO1XADpO01.

Placing a persistence Run key in registry

Stop me if you’ve heard this before

LockBit prevents multiple ransomware instances on a single system by way of a hardcoded mutex: Global{BEF590BE-11A6-442A-A85B-656C1081E04C}. Before LockBit starts encrypting, the ransomware checks that the mutex does not already exist by calling OpenMutexA, and calls ExitProcess if it does.

As soon as the ransomware is mapped into memory and the encryption process finishes, the sample will execute the following command to maintain a stealthy operation:

  • exe /C ping -n 22 > Nul & ”%s” (earlier version of LockBit)
  • exe /C ping -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s” (recent version of LockBit)

The ping command at the front is used because the sample can’t delete itself, due to the fact that it is locked. Once ping terminates, the command can delete the executable.

We clearly see an evolution to the applied technique here: in the earlier versions, the sample was missing a Del procedure at the end, so the ransomware would not delete itself.

In the recent version, the crooks had decided to use fsutil to basically zero out the initial binary to perhaps throw off forensic analysis efforts. After the file is zeroed out, the now null-file is deleted also, making double-sure the malware is not forensically recoverable.

Language matters

As we noted earlier, LockBit’s developers wanted to avoid having their ransomware hit victims in Commonwealth of Independent States (CIS) countries. The mechanism used by the ransomware to achieve this calls GetUserDefaultLangID and looks for specific language identifier constants in the region format setting for the current user. If the current user’s language setting matches any of the values below, the ransomware exits and does not start the encryption routine.

If your computer’s UserDefaultLangId is set to one of these values, LockBit does no damage

Changing the wallpaper

To get the affected user’s attention, the malware (as is typical) creates and displays a ransom note wallpaper. A set of API calls are involved in this process, listed below.

The created wallpaper gets stored under %APPDATA%LocalTempA7D8.tmp.bmp.

In the meantime, the malware also sets a few registry keys so that the wallpaper is not tiled, and the image is stretched out to fill the screen:

HKEY_CURRENT_USERControl PanelDesktop

  • TileWallpaper=0 – (No tile)
  • WallpaperStyle=2 – (Stretch and fill)
Wallpaper used by a previous version of LockBit
Wallpaper set by a recent version of LockBit

Stack Exchange for crooks

LockBit leverages a very similar service-list to MedusaLocker ransomware. It comes as no surprise that crooks copy these lists, so they don’t have to reinvent the wheel.

The unique Registry run key and ransom note filename that was written by LockBit—XO1XADpO01 and Restore-My-Files.txt — were also seen being used by Phobos, and by a Phobos imposter ransomware. This would suggest that there is a connection between these families, but without further evidence that is hard to justify.

The future for LockBit

A recent Twitter post demonstrates what the future looks like for LockBit. In a recent LockBit attack, the MBR was overwritten with roughly 2000 bytes; The infected machine would not boot up unless a password is supplied. The hash of this sample is currently not known.


The e-mail used for extortion [email protected] was also seen with STOP ransomware—an uncanny connection. The group behind might be related.

There is also speculation that application Diskcryptor was combined with the ransomware to add this extra lockdown layer. The MAMBA ransomware was also using this technique, leveraging Diskcryptor to lock the victim machine. DiskCryptor is currently being detected as AppC/DCrpt-Gen by Sophos Anti-Virus.

A list of the indicators of compromise (IoCs) for this post have been published to the SophosLabs Github.


The author would like to acknowledge the public contributions of @demonslay335 and @hfiref0x.

A Productive Transformation of NGFW Over the Dedicated IPS

If there is one thing that analysts and pundits can predict to a great degree of certainty, it is that cyberattacks will continue to rise, becoming a major global threat to businesses. Given that what’s at stake is not just critical customer data, but also the enterprise’s revenue and brand reputation – not to mention hefty penalties stemming from regulators should their networks be compromised – it is imperative that enterprises use every bit of security technology available to prevent the possibility of a network breach.

The challenge is that implementing an effective and consistent security strategy is increasingly difficult to achieve and maintain. The erosion of traditional perimeter boundaries, the expansion of cloud adoption, and the growth of mobile and IoT devices has led to increasingly complex network architectures where traditional tools like dedicated IPS devices are falling short on delivering security value.

The Pitfalls of Dedicated IPS Solutions

Traditional IPS solutions were designed for a single purpose: deep packet inspection of traffic to proactively identify and block malicious content. That myopic focus led to IPS systems becoming a point solution with very little integration and few automation capabilities beyond their traditional use case. With limited innovation, IPS systems have failed to evolve fast enough to address the challenges being posed by today’s evolving threats and network landscape. Compounding the challenges facing dedicated IPS solutions even further, digital transformation around security tool consolidation has caught IPS products unprepared to adapt. Enterprises that want visibility, flexibility and scalability also want to manage their portfolio through a single pane of glass for ease of use and to simplify deployments, and this function is missing in single point IPS products.

IPS has long relied on the presumption that other technologies would not be able to deliver the same capabilities with similar performance. As a result, very little development in the standalone IPS space has taken place for some time. This vacuum of innovation has led ancillary products, like Next-Generation Firewalls, to offer integrated IPS capabilities in addition to their core functions as an add-on.

This led to a decline in the market for dedicated IPS appliances, since enterprises could simplify deployment and management by simply enabling IPS functionality within their existing or upgraded network firewalls. They could manage their entire security policy – from adding application awareness and control to their firewall functionality, to deploying and managing things like IPS and VPN, all through a single network appliance. This was a great solution for enterprise security teams starved of resources and struggling with a shortage of skilled staff.

It’s Not a Battle of Equals Among NGFWs Providing an IPS Solution

What most organizations, and vendors, forgot was that one of the things that dedicated IPS appliances did fairly well was provide deep inspection of encrypted traffic. Of course, that functionality came at a pretty steep cost. But by moving IPS functions to an integrated NGFW system, that functionality has been all but lost.

That’s because most traditional NGFW vendors rely on a generic intel-based compute architecture that was simply never designed to meet the performance requirements of inspecting encrypted data. But today, as more and more network traffic is encrypted – according to the Google Transparency Report, between 87% and 97% of internet traffic is now encrypted, while the volume of malware using encryption is also increasing at a breakneck pace ­–  the limited performance capacity of NGFW devices running IPS as an add-on  comes at a significant cost of performance vs security. In fact, performance numbers are so low that most security vendors refuse to even publish them.

Even worse, turning on more IPS signatures to inspect the growing volume of encrypted traffic also results in the serious deterioration of the performance of the firewall, along with other functions critical to the network firewall. As a result, organizations are faced with the devil’s choice of not inspecting encrypted traffic, or turning off SSL and passing critical data through the firewall unencrypted. As a result, enterprises are struggling with how to balance security with performance, and whether the high expense of a dedicated IPS or a slow NGFW that includes IPS is a better fit.

Why Fortinet’s FortiGate Offers the Best of Breed IPS Solution

Fortunately, those aren’t the only choices available to organizations. Fortinet enables organizations to achieve a security-driven network with the highest-performing firewalls, innovative product portfolio, and deep integration with the Security Fabric and trusted partners to reduce complexity and protect the entire network from sophisticated threats. This includes the highest performing IPS solution of any NGFW in the industry – in fact, 20X faster than the industry average.

The FortiGate security platform, with its purpose-built hardware, leverages the superior performance provided by its dedicated security processors and network processors to deliver high IPS performance without impacting the flow of network traffic. Because FortiGate products deliver very high IPS inspection with very low latency, they have a unique advantage over other NGFW vendors who struggle with performance once their IPS functions are turned on. FortiGate products not only offer better protection per Mbps of inspection than traditional dedicated IPS, but also offer additional capabilities which are missing in other IPS products available in the market.

FortiGate NGFWs, with their unique hardware design and architecture, have a proven track record of being successfully deployed as dedicated IPS solutions. Enterprises can realize the dual benefits of managing both their FortiGate network firewall and FortiGate IPS through a single pane of glass to leverage consistent security and policy management across their entire infrastructure, whether deployed in the data center, core network, branch office, or in a public or private cloud environment.

The other critical component that differentiates Fortinet over dedicated IPS vendors as well as other NGFWs vendors competing in this space is our unmatched threat intelligence delivered by FortiGuard Labs. FortiGuard Labs collects, correlates, and delivers real-time intelligence on the threat landscape, providing comprehensive and actionable security updates across the full range of threats. This enables enterprises to prevent, detect, and mitigate advanced attacks automatically with the integrated, AI-driven breach prevention and advanced threat protection services from FortiGuard Labs. With over 14,000+ IPS signatures and real-time updates, Fortinet’s IPS solution enables enterprises to respond to the latest threats faster, while offering complete protection for known, unknown, and zero-day threats.

For more details on how the FortiGate IPS offers a replacement strategy for existing dedicated IPS download a copy of our whitepaper.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

3 reasons to use Yubico Authenticator on desktop computers

Did you know that the Yubico Authenticator app is available for desktops as well as mobile devices? Today, we are excited to announce the support of the Yubico Authenticator desktop versions on their respective platform stores (Mac App Store, Microsoft and Snapcraft). 

Achieving strong protection with authenticator apps  

Authentication mechanisms today need to be highly secure, usable and portable, and these are the exact same principles we used to build Yubico Authenticator. Similar to other authenticator apps, Yubico Authenticator generates a one-time code used to verify your identity as you’re logging into various services. However, unlike other authenticator apps, the secrets are stored in the YubiKey rather than in the app itself, making it necessary for a user’s YubiKey to be physically present to receive the time-based codes. 

Because secrets are stored on your YubiKey, if you change phones or laptops, there is no porting or re-registering of accounts required, regardless of operating system. Furthermore, the secrets cannot be stolen from the hardware key. 

Yubico Authenticator advantages for desktop users

With recent availability of Yubico Authenticator on the Mac, Windows, and Linux app stores, we are able to seamlessly deliver the same security, portability and usability benefits of the product to desktop users. Besides simplifying and accelerating the authentication experience across many services and platforms, Yubico Authenticator for desktop carries specific advantages. It enables two-factor authentication (2FA) across unique environments including: 

Desktop VPN authentication 

Yubico Authenticator for desktop enables seamless VPN integrations by generating one-time codes with desktop VPN clients such as Cisco Anyconnect, Pulse Secure, or AuthLite. With the recent influx of remote workers, this is particularly useful in helping to secure employees who are working from home. 

Mobile-restricted environments 

Not all corporate setups allow for the use of mobile devices, making it impossible to use mobile-based authentication methods such as SMS or authenticator apps. Since Yubico Authenticator stores secrets on the YubiKey, users are able to replicate the same time-based codes that would be on a mobile device, on the desktop. This is particularly advantageous for corporate setups where mobile devices are restricted, such as call centers or doctor’s shared devices. 

Multi-device sign in 

In a recent survey from Ponemon Institute, individuals use an average of 5 devices to access online accounts. With a YubiKey and Yubico Authenticator, the same secrets are accessible on desktop computers as well as mobile devices. This makes it easy to authenticate without needing to re-register every service with the authenticator app on different platforms. 

Setting up Yubico Authenticator for desktop 

Simply download the app for Windows, macOS, or Linux depending on the machine you’re using. Open the app, insert your YubiKey, and begin adding the accounts you wish to protect by scanning the QR code provided by each service. Yubico Authenticator is also available for download on iOS (iPhones and iPads) and Android operating systems. 

Now you’re all set! Start using the Yubico Authenticator app and your YubiKey to securely login as a second factor to your services. 

For added convenience, head over to the Yubico store to pick up a YubiKey 5Ci for seamless authentication across desktop and mobile devices!  

Bank Implements Branch Modernization Project with Flexibility of Fortinet Secure SD-WAN

Cost reduction and improving application performance were top priorities for the financial institution when it came time to execute their branch modernization project. They chose Fortinet’s SD-Branch solution because they were able to consolidate their branch services into the same platform that would be running their SD-WAN, giving them better visibility, control, and security at their branch offices.

A large financial institution with hundreds of branches and operating across multiple banking and investment segments was looking to implement what they envisioned as the next-generation branch. This project aimed to reduce costs by migrating their existing MPLS infrastructure to low-cost, high-bandwidth ADSL links, all while improving performance and network security.

To achieve this, the bank was looking for a cybersecurity solution that would provide them with:

  • Increased performance of SaaS applications with high ADSL bandwidth
  • Improved visibility of corporate and guest internet traffic
  • Reporting capabilities and compliance with national and international laws and regulations
  • Integration with existing and complex routing infrastructure using open routing protocols
  • Ease and flexibility of management and implementation
  • Integrated access technology, thereby increasing branching capabilities for wireless speeds of 1 Gbps and Wave 2
  • Physical asset security with an integrated camera system for facial recognition

In addition to all this, they needed advanced security to offer this new service to their customers, as well as for internet access across all branches. This required the deployment of high-performance IPSec VPN, combined with Security-Driven Networking that supported NGFW, SD-WAN, and SD-Branch (AP/Switch). This security-driven, fabric-based strategy needed to cover their entire expanded infrastructure, from wired and wireless endpoint connections to full WAN protection.

Flexible Architecture and Increased Network Security

The bank had been looking to improve their network stability, solution management, and network security for some time – a demand that its legacy equipment could no longer meet. After much analysis, the bank, opened their doors to an IT solutions company and Fortinet partner – recognizing the company would be able to meet their current prerequisites as well as future bank implementations. 

The next major step was to deploy Secure SD-WAN technology to manage the volume of application traffic in remote offices, reduce costly rack space, provide greater security, and implement centralized management across a flexible architecture. Adding FortiAPs (access points) and FortiSwitches (AP/Switch) enabled the bank to deploy Fortinet’s Secure SD-Branch solution, extending the Fortinet Security Fabric and the benefits of SD-WAN beyond network access by converging WAN, Branch LAN, and security functionality into a single, integrated platform managed by the Fabric Management Center. This convergence increased security and visibility while reducing complexity, thereby improving performance and agility and lowering overall IT costs at the edges of the network.

The bank chose Fortinet because of its broad range of technical differentiators, including their integrated Secure SD-WAN and SD-Branch architectures that proved to be much more advanced than the market standard, as well as the flexibility needed to address the bank’s demands in a personalized way. Other elements like FortiGate, with its superior IPS engine, performance and intelligence, combined with the Fabric Management Center, contributed to this decision due to their ability to delivering significant operational improvements.

The bank deployed Fortinet solutions into the data centers connected to its remote branches and subsequently installed Fortinet solutions in dozens of its branches. This deployment strategy has ensured that communications between the branches as the data center are encrypted, while providing branches with secure direct Internet access combined with browsing and logging to ensure efficiency and control, something that had been previously lacking.

Benefits of Secure SD-WAN and SD-Branch

The implementation of Fortinet Secure SD-WAN and SD-Branch has paved the way for new opportunities for the bank and its branches. As a result of implementing these solutions, the bank enjoys greater visibility and flexibility across data centers and branch offices, while high-performance SSL inspection features have improved security.

In addition, users have pointed to an increase in connection quality once the bank switched technologies. In the past, they had cases where the connectivity was degraded, creating problems such as an increase in response time – an issue that both operators and users continually tried to fix to no avail. SD-Branch now allows for placing switches in the circuit, so even if a connection becomes degraded, QoS functions are able to maintain a high-quality, secure service.

And due to the increasing number of sophisticated threats and malware they have been facing, the advanced security functionality built into SD-WAN implementation project has become an essential component of the bank’s network transformation project. To avoid costly deployment and management overhead, Fortinet Secure SD-WAN and SD-Branch solutions provide complete and natively integrated security to detect and prevent threats, including native NGFW functionality, a flexible and expandable VPN, and high-performance SSL inspection.

The results have been so positive for the bank that they are already thinking about developing their next round of critical developments with Fortinet as their strategic cybersecurity partner.

Business impact

  • Enabled high visibility of guest and employee traffic, with additional benefits such as facial recognition features and wireless integration with analytical tools.
  • Reduced costs with ADSL-enabled Internet, as opposed to more expensive MPLS connections.
  • Single-pane-of-glass management provided a quick response for both security and network management.
  • Enabled compliance with all required laws and regulations, including the General Data Protection Regulation (GDPR), the Civil Rights Framework for the Internet, the Central Bank’s latest regulations, and more. 
  • Advanced end-to-end security.

Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.

Read more about how FortiGate Secure SD-WAN helped Fortinet optimize network performance in this case study. 

Read these customer case studies to see how De Heus and Burger King Brazil implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers. 

Top 3 Considerations for Your Critical Apps in the Age of Teleworking

Almost overnight, teleworking has become mainstream. And from all indications, it might stay that way for weeks or even months. And for many organizations, this may signal a new normal, where many workers may continue to work remotely. But regardless of the outcome, organizations need to ensure that their business continuity/disaster recovery (BCDR) plans are updated so they are ready to quickly ‘flip the switch’ to teleworking in the future – whether due to the next pandemic, a major weather event, or some other unforeseen event.

To do this, organizations need to architect access to their critical applications so they can remain resilient in the face of unexpected change, while maintaining the right security posture to protect valuable data, guard against threats, and adhere to compliance obligations. To achieve this, the following top three considerations are important for every organization, large or small, across every market segment. And they are steps that organizations can immediately put into action today:

1. Protect Your Critical Collaboration & SaaS Apps

Most customers today are fairly advanced in their adoption and transition to the cloud and SaaS apps. Even when an enterprise hasn’t yet directly embracing SaaS, users are self-selecting cloud-based applications – or what’s commonly called shadow IT – to get their jobs done.  With the shift to teleworking, the reliance on SaaS and its universal access will only grow. For example, it’s easy to appreciate the value that file sharing and cloud storage applications like Sharepoint, G-Drive, or Box deliver. Even if the corporate network and local folders are unavailable, cloud applications make it easy to upload and share files. And this can easily be extended beyond employees, to partners or suppliers, or even end customers. 

The challenge is to how to manage the security of these cloud solutions. Deep visibility and control mechanisms must be put in place to address potential SaaS challenges, such as the unauthorized downloading of files or creation of shadow IT resources. A Cloud Access Security Broker (CASB) provide critical technology designed to secure these cloud-based applications and assests, something that analysts call out as an ‘essential element of any cloud security strategy.’ CASB allows customers to understand their SaaS traffic, protect valuable data, guard against threats, and ensure that compliance objectives are met. And depending on the deployment, CASB can even provide visibility on unsanctioned application traffic, enabling policies can be put in place to shore up potential risk points.

Fortinet has taken a unique, 100% API-driven approach in its FortiCASB solution. Especially today, in this new age of teleworking, these APIs provide critical insights into application usage without the need for intercepting traffic through a proxy or by installing endpoint agents. These APIs provide a wealth of intelligence designed to uncover SaaS activity, ranging from who the top users are, to what’s being uploaded, to where it’ going and whether there any risks or risky activities going on. These APIs can also be used for remediation steps like changing permissions so, for example, a sensitive file is not visible to the public from Sharepoint, or by using FortiCASB’s built-in threat scanning technologies to identify malware ahead of costly damages or broad propagation from a Box folder. For full shadow IT visibility, FortiCASB can also be deployed in conjunction with FortiGate NGFW and leverage the FortiGate as powerful control point in the network.

But as with email, you need to protect who can gain access to these resources beyond just simple login-password combinations. That leads to the next point that is applicable to both email and an organization’s critical SaaS apps. 

2. Enable Multi-Factor Authentication

At the RSA Security Conference this past March, Microsoft engineers shared that “99.9% of the compromised accounts they track every month don’t use multi-factor authentication.” To put this data in context, Microsoft monitors more than 30 billion logins per day and more than a billion users. And on average, Microsoft sees roughly 1.2 million accounts that have been compromised each month. So it’s no surprise that across all of the enterprise accounts they monitor, only 11% had MFA solution enabled. 

Many of today’s most damaging security breaches are due to compromised user accounts and passwords. Whether bad actors collect login credentials via sophisticated phishing email scams or brute force attacks, without multifactor authentication in place they can use those credentials to easily gain unfettered access to the network and to move laterally across network and application resources to wreak havoc.

To address this, the adoption of additional authentication methods has accelerated. Two-factor or multifactor authentication (MFA) – achieved through physical hardware or mobile application tokens – increases the certainty of the identity of users as they enter the network, because even if a criminal knows a user’s name and password, they still cannot login under that stolen identity without also having that user’s unique identity token. 

Fortinet’s FortiToken solution enables businesses of all sizes to manage their MFA token implementations for users connecting from anywhere, as long as there is an Internet connection. With the addition of FortiAuthenticator, customers can augment existing solutions like Active Directory and enable things like single sign-on (SSO) to improve user experience. FortiToken, with or without the addition of FortiAuthenticator, secures access to a wide range of enterprise applications, whether on-premise, hosted in private or public clouds, or for SaaS applications. 

Multifactor authentication technology is widely available, but organizations need to enable it and make it mandatory for their employees. And as with the recommendations for email and SaaS applications, MFA provides a key complementary technology that can significantly bolster the security across these critical environments with minimal investment. 

3. Lock Down Your Inbox

Email is the primary communication tool for doing business. It connects us to our peers, our partners and suppliers, even our customers. It needs to be reliable and accessible, but also protected. Many customers have come to rely on native security functions built into their email security solutions, but they don’t always measure up. A recently published report from third-party testing firm SE Labs sheds light on how different solutions perform. It includes results and ratings for popular email cloud providers like Exchange Online, Office 365, and G-Suite. In addition, FortiMail was submitted as part of the SE Labs testing as Fortinet believes strongly that truly effective security should hold up under the vetting of third-party, independent tests and benchmarks. SE Labs responded to our entry with the following:

“We congratulate Fortinet for its outstanding performance in this extremely challenging test. In our latest tests, Fortinet earned a AAA rating with a 90% total accuracy, which put it in high standing compared to other offerings in the market. For customers, this should provide additional assurance that FortiMail offers the appropriate, robust security protections needed for securing email traffic.”

The deluge of email-based threats has already begun to spike during this period, with the FortiGuard Labs team identifying upwards of 600 new phishing campaigns a day. Clearly, the bad actors are trying to take advantage of the confusion of such a rapid transition and novice remote users through their social engineering tricks and other exploits. Whether defending against phishing attacks, business email compromise, or the latest ransomware, Information Technology and Security leaders need to protect their users’ inboxes now more than ever.

Special consideration is also needed as users are more likely to connect to corporate resources not only from company-managed devices, but also from personal or unmanaged devices, including laptops, smartphones, and tablets. As a result, stopping email threats on the mail server or in the cloud, before it gets delivered to the user, is imperative. To do this, taking smart steps to avoid credential theft will be key. The same goes for protecting valuable data before it potentially leaves the organization.


With the industry quickly pivoting to teleworking, now is the time for organizations to move quickly and take these important steps – securing their critical email traffic, putting the right protections in place for their SaaS applications, and enabling the critical lynchpin technology of multifactor authentication to tied it all together. By implementing the right IT and Security strategy, customers will not only have a more secure environment today, but it also sets them up well for the future, enabling productivity and business agility gains even during extreme circumstances, without dangerous concessions to the overall security posture of the business. 

Learn more about how to maintain business continuity through broad, integrated, and automated Fortinet Teleworker Solutions.

Learn how Fortinet’s dynamic cloud security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.

Read these customer case studies to see how Cuebiq and Steelcase implement Fortinet’s dynamic cloud security solutions for secure connectivity from data center to the cloud.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

Following the money in a massive “sextortion” spam scheme – Sophos News

Millions of “sextortion” spam messages sent between September 1, 2019 and January 31, 2020 generated nearly a half-million US dollars in profits for Internet criminals. The messages told recipients that their computers had been hacked, that the sender had captured video of them visiting pornographic websites, and threatened to share the video with the targets’ “friends” if they didn’t pay—asking for as much as $800 USD worth of Bitcoin (BTC) to be transferred to a wallet address.

The flow of that digital currency reveals that many of the operators behind these sextortion scams are connected to a much larger criminal digital economy. Though there were some smaller players involved in these spam campaigns, the movement of the BTC deposited in many of those wallets shows the campaigns were linked to other criminal enterprises—either funding other illicit activity or providing a way to convert the BTC to hard cash.

An example of the sextortion messages sent during the campaign.

We shared wallet data extracted from these spam campaigns with CipherTrace, Inc., to get more insight into the flow of digital currency connected to them. The wallet addresses used by the scammers to extract payments from victims were found to have made transactions with dark web marketplaces, stolen credit card data hawkers, and other elements of the cybercriminal economy. Other funds were quickly moved through a series of wallet addresses to be consolidated, put through “mixers” in an attempt to launder the transactions, and converted to cash, goods and services through other channels.

While the sextortion scams themselves were hardly innovative, the cryptocurrency flow wasn’t the only thing that suggested a certain sophistication behind some of the attackers. Many of the messages relied on a number of technically interesting obfuscation methods to try to slip by spam filters. And while the vast majority of recipients either never saw the messages or didn’t pay, enough saw and fell for the ploy that wallets associated with the messages pulled in 50.98 BTC during the five month period. That amounts to roughly $473,000, based on the average daily price at the times the payments were made, and an average of $3,100 a day.

It’s raining spam

Sextortion messages are a staple of low-level Internet scammers. They require relatively little technical skill to send, and do not require the actual compromise of the target’s computer. That is because the email addresses targeted by the scam and the passwords sent as proof to the victims are collected from published usernames and  passwords from old website breaches, widely published on the Internet. (Using password managers, not re-using passwords across accounts, and using services such as HaveIBeenPwned.com or Google’s Password Checkup can protect people from the use of old passwords by attackers.)

Compared to sophisticated ransomware campaigns (which can bring in millions of US dollars worth of cryptocurrency from a single victim), the return from sextortion scams is relatively small. But they are still a significant source of income for the spammers behind them, and cost relatively little to run. They also provide a steady stream of income for the botnet operators whose networks of compromised computers act as the launchpad for these campaigns.

During the period between September 1, 2019 and January 31, 2020, we witnessed a series of unusual spikes in sextortion spam message traffic. As with many other types of spam campaigns, the sextortion messages came in relative short bursts instead of a continuous stream of messages. But these particular bursts made up a outsized proportion of the spam traffic we observed during the period observed. While sextortion made up an average of 4.23% of all our observed spam traffic over the period, there were five days when it made up over a fifth of all spam we observed. And the sextortion emails on just three days in October accounted for over 15 percent of all spam between September and January.

We observed around a dozen “spikes,” most of them during the autumn. These spikes usually lasted 1-3 days, and more than half of them happened on weekends (Friday, Saturday and Sunday). Another sign that the scammers behind these messages prefer to send their messages when their targets might not be at work: while the campaigns were largely low-volume during December, they picked up between the 24th and 26th. There were some outliers, however, including a spike on January 8 that consisted largely of a campaign with extortion messages written in German.

As with many spam campaigns, the sextortion messages were launched from botnets using compromised personal computers all around the world, with PCs in Vietnam providing the greatest single share (7%).  Some of the messages demonstrated some new methods being used by sophisticated spammers to evade filtering software.

While we had seen previous campaigns use images to display the extortion demand in order to evade text detection, we found few examples of image-based obfuscation in September to January waves. Instead, the spammers used a variety of other techniques to hide the text of their messages from simple parsers:

  • Breaking up the words with invisible, random strings

    Top: message as seen by recipient. Bottom: Encoded text in message data

  • Using encoded non-ASCII characters (such as Cyrillic letters) that look similar to “regular” characters to humans, completely different when read by a machine:

    Top: message as seen by recipient. Bottom: Encoded text in message data

  • Using invisible white garbage text to break up the message text.

    Top: message as seen by recipient. Bottom: Encoded text in message data

  • In one message (the example shown earlier in this report) the message text  was “concealed” in HTML style tags outside of the body of the message.

    Left: Message as seen by recipient. Right: HTML encoding of message, showing content in “style” tags.

Cashing in on fear

In addition to the often-obfuscated threat, each of these emails carried a Bitcoin wallet address for victims to use in directing payments. Clearly, the majority of these individual efforts to scare targets into paying was in vain—while we found nearly 50,000 unique Bitcoin wallet addresses in the sextortion messages we intercepted, only 328 received payments at any point in time until early February—meaning only a half a percent of each message volley convinced recipients to pay.

While a relatively tiny fraction of the total, these wallet addresses received more than 96 BTC, which is (or was) worth a few hundred thousand US dollars, depending on when we check the price of BTC/USD. Some of this activity predates the spam campaigns, however.

Looking at the payments made during the sextortion campaigns may give a more accurate picture of what they yielded. During the five month period, 261 of the wallet addresses received 50.98 BTC . Multiplied by the average of the daily price on the day the payments were made, that comes to $472,740.99, which is as close to the actual amount of victims paid as we can get. On average, the active wallets received 0.19534962 Bitcoin per address, or $1,811.27.

The operators regularly cycled through new wallet addresses with each new campaign.The average “lifespan” of all the addresses found within sextortion messages was 2.6 days before they disappeared from observed spam. The 328 “successful” wallets—those that received payments— had more extended lives, lasting 15 days on average.

Through our collaboration with CipherTrace, we were able to determine that the 328 Bitcoin addresses with a history of payments were connected to 162 clusters of addresses tied to individual Bitcoin wallets. While a majority of these wallets only had one address, there were 4 wallets that had more than 10 addresses from our list associated with them.

Let the BTC flow

Of the 328 “active” addresses we identified, CipherTrace connected 12 to online cryptocurrency exchanges or other wallet services. Some of the exchanges had been previously identified by CipherTrace as “high risk” exchange services with little in the way of the “know your customer” requirements, making them well-suited as cryptocurrency laundering points for criminals. These previously attributed addresses were not used in further tracing the flow of funds from the campaigns, because exchanges often combine customer funds together in their deposit pool—making it untenable to track specific blockchain transactions further.

The CipherTrace Inspector product identified 476 output transactions from the 316 addresses. The most frequent destinations for transactions were:

  • Binance, a global BTC exchange  (70 transactions).
  • LocalBitcoins, another BTC exchange (48 transactions).
  • Coinpayments, a BTC payment gateway (30 transactions).
  • Other wallets within the sextortion scheme, consolidating funds (45 transactions).
  • There were 54 transactions to addresses that could not be attributed—likely private non-hosted wallets.

It’s important to point out that the exchanges mentioned above (as well as other exchanges) are unknowing participants in these deposits of funds. Because of the way blockchains are designed, there is no way for exchanges to block deposits to their addresses.

Overall, the payments from sextortion wallets were distributed as shown below:

Deposits made in BTC from sextortion-connected wallets. by percentage.

CipherTrace performed further analysis on the 316 addresses by tracing the other addresses connected to them by transactions, going out a maximum of 3 transaction “hops” from the original address. Of those addresses, 305 had at least one outbound transaction. The trace of those transactions revealed 7 distinct groups of address clusters within the group, tied together by transactions. In some cases, those clusters were connected to other criminal transactions:

A cluster of sextortion-related wallets fed into a transaction with WallStreetMarket, a “darkweb” marketplace that sells stolen credit card data, drugs, and virtually everything else.
Sextortion wallets were tied to wallet aggregating funds, including payments from the Russian-language darkweb market Hydra Market and the credit card dump marketplace FeShop.
One sextortion wallet was linked to a transaction of Bitcoin linked to a 2019 theft from the Binance exchange.

There were 13 addresses among the 328 passed to CipherTrace that did not have traceable outbound transactions. But for the remainder, whoever was behind the wallets did not let their cryptocurrency spoils sit for long. Based on the date of the first input (when the first extortion payment transaction occurred) and of the last output (when the last of the value of the wallet’s Bitcoin was drained) from each of the remaining 305 wallets, CipherTrace calculated an average “lifespan” of approximately 32.28 days.

Removing the most long-lived outlier wallets from the group—9 addresses that persisted for more than 200 days—the majority of the addresses had an average lifespan of 19.93 days. For 143 of the addresses, where there was only one input and one output transaction, the wallets were cashed out on average within 8 days—with the exception of two that were left untouched for over 100 days.

Where’s the money now?

Tracking where physically in the world the money went from these sextortion scams is a difficult endeavor. Out of the 328 addresses provided, CipherTrace determined that 20 of the addresses had IP data associated with them, but those addresses were connected to VPNs or Tor exit nodes—so they were not useful in geo-locating their owners.

Where wallet-emptying deposits occur can sometimes offer a hint to the location of scammers, because some exchanges restrict what Internet address blocks they can be accessed from. But even geographic restrictions on some of the exchanges used are ineffective for locating the people behind the wallets, much for the same reason—VPNs or Tor could be used to bypass IP-based restrictions to those exchanges. Most of the deposits went into global exchanges.

Given that some of the transfers were used to obtain stolen credit card data or other criminal services—probably including more botnet services for sending spam—the payouts from the sextortion campaigns are funding yet another round of scams and fraud. After all, even in the criminal world, you have to spend money to make money.

Sophos would like to acknowledge the contributions of analysts at CipherTrace, Inc. , to this report.

Click for a full-size version of this infographic.

XG Firewall is now available on AWS – Sophos News

XG Firewall is now available in the AWS marketplace with two flexible licensing options:

AWS customers can take full advantage of the many innovations XG Firewall has to offer, like Synchronized Security with Intercept X for Server, the new Xstream Architecture with high-performance TLS 1.3 inspection, and the latest machine learning threat intelligence and sandboxing protection from ransomware and other advanced threats.

Crucially, it enables customers to manage a multi-cloud security strategy from a single cloud console in Sophos Central; including network security with XG Firewall; cloud workload protection with Intercept X for Server; and cloud security posture management with Cloud Optix.

XG Firewall brings full network security and control to AWS integrated into a single solution:

  • Xstream Deep Packet Inspection (DPI)
  • Intrusion Prevention System (IPS)
  • Web filtering, protection and application control
  • AV and AI machine-learning threat protection and sandboxing
  • TLS inspection with native support for TLS 1.3
  • A full-featured Web Application Firewall

In the coming months we will be extending XG Firewall’s integration into AWS with enhancements like auto-scaling, CloudFormation template support, CloudWatch integration and more.

With XG Firewall now available in AWS as well as Microsoft’s Azure public cloud platform, XG Firewall further extends its industry-leading deployment options with support for any combination of cloud, virtual, software, or XG Series hardware appliances. These options make XG Firewall able to fit any network, both now and in the future.

Learn More about XG Firewall protection for your cloud infrastructure.

Getting started resources

Top Yubico Partners to Modernize your Workplace Login

The workplace is evolving and expanding well beyond the four walls of a corporate office, and with this expansion comes new questions about how to secure employee login. In 2019, fifty-one percent (51%) of IT professionals said their organization experienced a phishing attack, making it dire for organizations to identify solutions that employees can use to access critical workplace systems and data while staying safe from rising attacks.

As your organization is on the path to modernizing workplace login, security at the individual user level is more critical than ever. Secure login is fundamental to preventing unauthorized access, and when done really well, results in: 

Through our extensive partner network, Yubico offers organizations a broad range of choices in the way users can securely log into their workstations and computers. Whether aiming for a cloud-first or hybrid environment, strong authentication can be implemented to protect access everywhere, all based on the systems users need to access.

Last month, we shared 5 ways the YubiKey can protect your remote workforce from phishing and other attacks. This month, we are featuring five of our partners to share tips on how our joint technologies can enable your organization to modernize the login experience to desktops and laptops as well as cloud-based apps and services. 


“Strong authentication is fundamental to modernizing the workplace. YubiKeys provide seamless multi-factor authentication (MFA), while systems like MyID give IT teams the control they need to issue and manage YubiKeys simply and at scale.” – Allen Storey, Chief Product Officer, Intercede


“The best experience you can give your users is one that doesn’t require them to learn new ways or new habits. Rather than distributing new usernames and passwords, you can leverage the credentials they already use to sign in to their devices.”- Sue Bohn, Director of Program Management, Microsoft 


“MFA doesn’t have to be difficult. OneLogin’s Trusted Experience Platform enables users to leverage WebAuthn with hardware-backed YubiKey MFA for access to enterprise apps and services. With our integration, companies can reduce MFA friction with OneLogin SmartFactor, and increase their overall security posture.” – Brandon Simons, Director of Product Management, OneLogin


“By partnering with Yubico, we’re making it easy to deploy the YubiKey as a smart card using our onboarding software plus PKI Services to secure app authentication, VPN, desktop logon, and more.” – Tom Rixom, CTO,  SecureW2

Bottom line: Organizations undergoing digital transformation require modern, secure, and flexible authentication approaches to protect critical data. Whether you’re considering MFA by adding another layer of protection on top of a username and password, or potentially replacing passwords altogether, the multi-protocol YubiKey is equipped to handle it all. 

Join our upcoming partner roundtable discussions to hear expert insights and best practices on modernizing workplace login. Use the links below to sign up now! 


Rising to the challenge in the worst circumstances – Sophos News

There’s a lot of uncertainty in the world, but the one thing you can be sure of is that COVID-19 has and will continue to create a situation that hasn’t been seen in three generations, certainly not in living memory.

In a matter of weeks, response to the pandemic has reshaped our global economy and societies in ways that will touch everyone. How we work, shop, get educated, travel, exercise, care for each other, and socialize has changed radically, and with ferocious speed. And the pandemic has created new classes of both villains and heroes.

While many of the changes to interpersonal interactions have been rough, there are some silver linings to these difficult circumstances. One of the brightest spots is how the coronavirus has roused many in the security industry to action, for many of the same reasons why some people enlist in the military during wartime: out of a sense of duty and a desire to protect others. Only this time, the enemy is cybercrime itself.

The collective sense of duty, coupled with a visceral reaction to criminals exploiting the world’s fears of an invisible killer, led to the spontaneous formation of several working groups to combat these threats.

There is much that is remarkable about these initiatives, but one characteristic that stands out is how militia-like these groups are, from the way that they have self-organized in a matter of days, with distributed (decentralized) structures, to how they are positioning themselves to aid our “conventional” forces, including individual cybersecurity companies.

Among these new working groups, which include the CTI League and Cyber Volunteers 19, is an initiative called the COVID-19 Cyber Threat Coalition (or CCTC).

What began with a simple call by Sophos Chief Scientist Joshua Saxe for analysts to join forces has turned, in a matter of just a few weeks, into an operation numbering more than 3,000 volunteers, comprising people from a broad range of industries and organizations around the world, working with a single purpose and goal.

The all-volunteer effort of the CCTC has self-organized around the goal of creating a shared pool of real-time data and threat intelligence about attacks in which the attackers have in some way exploited the COVID-19 pandemic, and making that output freely available to anyone who has a use for it.

The outpouring of data from volunteers was matched with generous offers from tech firms to provide the organization with the tools and technology they need to accomplish the mission, at no cost. The charitableness of the volunteers with their time, and of businesses with their products and infrastructure has been heartening in these trying times.

The collaboration, spirit of teamwork, and feedback among CCTC volunteers has been impressive, as well. Participants organized into teams that rapidly devised systems to collect volumes of threat intelligence along with automation to vet the data, reducing the likelihood of spreading inaccuracies. Others are consumers of this data, using it to strengthen our collective infosec immune system and suggesting different ways to produce output they can use with less effort.

The spontaneous genesis of these groups represents a statement that, collectively, information security specialists will no longer tolerate business as usual from criminal groups that, even in the best of times, can ruin lives and harm or destroy businesses or organizations.

At a time when the fabric of our very society seems strained almost to the breaking point, a ransomware attack against a medical facility or other critical infrastructure could cost actual lives.

The tragedies and trauma of a global pandemic will shape a post-COVID world that may not look very different to what came before but will be very different under the hood. Those who protect us have a renewed sense of purpose and collective mission, unencumbered by pre-existing affiliations. We should embrace that.

There are some things that shouldn’t fully snap back to the way they were, and a group of cyber-minutemen who rise up to defend us all against enemies who act with depraved indifference to the needs of civilization might just be what the doctor ordered.

Fortinet Secure SD-WAN Improves Application Performance for Global Company

Large, distributed organizations rely on business applications to deliver valuable resources and services to users, and as a result, must ensure uptime to keep those business-critical applications running and users productive. 

Recently, Fortinet worked with a global company contending with those challenges. Specifically, this customer was seeking to improve performance and management capabilities to ensure application availability and user productivity. 

And Then There Was One

With 1500 branch offices and three datacenters spread geographically around the world, deploying new branches was key to the business’ growth plans, but proved time-consuming and often difficult to integrate into existing infrastructures. Previously, this organization’s branch offices included multiple legacy point products for network and for security, which made centralized management difficult and provided no visibility. 

The incumbent solution was a combination of a traditional ISR router from a major networking vendor managing an MPLS connection and a separate firewall appliance from the same vendor. Adding SD-WAN would require the deployment of yet another device because neither the router nor the NGFW were able to provide SD-WAN services. Security would then need to be configured to run as an overlay solution on top of the SD-WAN appliance, significantly increasing capital and operating expenses, and the organization would still be forced to keep their MPLS links. 

Fortinet was the only vendor the organization considered that offered all of these functions in a single, high performance appliance, with centralized management for both network and security policies through an integrated console. As a result of selecting the Fortinet Secure SD-WAN solution, the company was able to eliminate their disconnected and isolated networking and security point products and replace them with one unified appliance, thereby reducing complexity. Fortinet surpassed the global company’s expectations, starting from proof of concept, with zero touch deployment, centralized management, and the ability to auto-provision configuration and business policies globally from their HQ.

Improving Performance for Business-Critical Applications & Users

Because of Fortinet’s integrated approach and proven networking and security performance, both the CIO and CISO selected Fortinet Secure SD-WAN to enable faster cloud adoption and significantly improve user experience for its nearly 15,000 employees. Moreover, the company is now able to offer its users a significantly improved experience with more consistent connectivity and high-performance reliability by tapping into the LTE capabilities built into FortiGate appliances. 

For example, sharing and collaboration is an important business priority and the organization heavily relies on cloud-based applications. As a result, this global organization needed its SD-WAN solution to offer single touch integration with specific cloud providers for faster application access and control. The Fortinet Secure SD-WAN solution natively supports major cloud providers to enhance application optimization by up to 5X, while reducing latency and producing a better user experience. 

Key Benefits

The company experienced the following benefits of the Fortinet Secure SD-WAN solution: 

  • Improved user experience performance: The performance of business-critical applications instantly improved by a factor of five.
  • Reduced Complexity: Replacing multiple point products with an integrated solution built around the benefits of Fortinet Secure SD-WAN reduced complexity while yielding a 60% cost savings.
  • Reduced WAN Cost: Augmented MPLS with broadband and LTE is saving up to 30% on contract renewal. Also, the complete removal of MPLS is on the roadmap. 
  • Centralized Management: The Fortinet Secure SD-WAN solution’s zero touch deployment capabilities and network visibility have reduced troubleshooting cycles by 50%.

Take a security-driven approach to networking to improve user experience and simplify operations at the WAN edge with Fortinet’s Secure SD-WAN solution.

Read more about how FortiGate Secure SD-WAN helped Fortinet optimize network performance in this case study. 

Read these customer case studies to see how De Heus and Burger King Brazil implemented Fortinet’s Secure SD-WAN to alleviate network complexity, increase bandwidth, and reduce security costs.

Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.

