UK Police are investigating a sexual assault on the avatar of a girl aged under 16 that caused psychological trauma.

British police are investigating a case involving a virtual sexual assault of a girl’s avatar. Even though there was no physical violence involved the incident will be investigated as it has caused psychological trauma.

By definition, an avatar is a virtual representation of a user and is driven by the user’s movements in the virtual world. In Virtual Reality (VR) an avatar is placed, behaves, and moves like a physical body.

In the investigation, a girl under the age of 16 was playing a VR game when the avatars of online strangers gang raped her avatar. The VR experience is designed to be completely immersive. For example, we’ve all seen those “funny” movies where people wreck their television set because they loose contact with reality because what they see through their VR headset is so believable. So, it’s not very hard to imagine how much of an impact the incident had on the girl.

The BBC reports that the incident left her very distraught. According to an unnamed senior officer familiar with the matter, the victim suffered psychological trauma “similar to that of someone who has been physically raped”.

Whether it is possible to punish the attackers remains to be seen. As we all know, laws always trail behind when it comes to new technological developments. For an actual assault or rape case there needs to have been physical contact.

The incident should at least be considered as a good reason to:

*   Start thinking about legislation that can deal with these sort of incidents.
*   Create platforms that can provide a safe environment, especially for children.

It is possible to utilize existing laws, for example against the creation of synthetic child abuse images, which could be used as the basis of prosecutions in virtual world cases, but specialized laws would make court proceedings a lot easier.

According to the Daily Mail Online, police leaders are now calling for legislation to tackle a wave of sexual offending online, saying officers’ tactics must evolve to stop perverts using new technology to exploit children.

Details about the specific platform have not been released. But it’s certain that the new technology has led to new variations of existing types of crime like the theft of rare game artifacts, fraud, and sexual offenses. Unfortunately, some people feel they can behave like savages when they are hiding behind their virtual identity.

Billions of dollars are invested in developing the metaverse, an umbrella term for virtual worlds, and to attract new VR users. We hope to see some of those dollars invested in safety precautions, which will keep the experience safe for everyone.

For parents looking for guidance on how to keep their children safe on the internet, we recommend reading **Internet Safety Tips for Kids, Teens and Parents**.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Police investigate sexual assault on an avatar 

People using LLMs for bug bounty hunts are wasting developers' time argues the lead developer of cURL. And he's probably right.

Bug bounty programs that pay people for finding bugs are a very useful tool for improving the security of software. But with the availability of artificial intelligence (AI) as seen in the popular large language models (LLMs) like ChatGPT, Bard, and others it looks like there is a new problem on the horizon.

Bounty hunters are using LLMs not only to translate or proofread their reports, but also to find bugs.

Daniel “Haxx” Stenberg of cURL explains in a blogpost why he sees this as a possible problem. CURL is a computer software project providing a library and command-line tool for transferring data using various network protocols. The name stands for Client for URL. Daniel is the original author and currently the lead developer.

He argues that, for some reason, bug bounty programs also attract fortune seekers that are looking for a quick buck without putting in the necessary work. According to Stenberg, developers could easily filter out these fortune seekers before they had access to LLMs.

The source of the problem lies in the bad habit of some LLMs to “hallucinate.” LLM hallucinations is the name for the events in which LLMs produce output that is coherent and grammatically correct but factually incorrect or nonsensical.

This is a problem for developers because they can often discard nonsensical reports from humans only after a short examination. But reports generated by AI look coherent, so they waste a lot more time.

In the mystery of the CVE’s that are not vulnerabilities we saw how the automated submission of bugs had raised issues before that wasted a lot of developer time. Time the developer would like to use to fix real bugs or work on new features. As Daniel put it:

> “A security report can take away a developer from fixing a really annoying bug. because a security issue is always more important than other bugs. If the report turned out to be crap, we did not improve security and we missed out time on fixing bugs or developing a new feature. Not to mention how it drains you on energy having to deal with rubbish.”

This is especially annoying when the person that submitted the bug is unable to respond to additional queries in a way that clarifies the issue. Which is often the case since that person has no idea why the LLM flagged the submission as a bug in the first place.

In several areas people are working on tools that can recognize content created by AI, but these are not a full solution to this particular problem. Bug bounty hunters also use LLMs to translate their submissions from their native language to English. Which is often very helpful. But if a recognition tool were to discard all those submissions, they might end up ignoring a serious security vulnerability just because the bounty hunter wanted to submit a report in perfect English.

In the future, AI will undoubtedly proove to be useful in finding software bugs, but we expect these tools will be deployed by the developers themselves before the software goes live.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 How AI hallucinations are making bug hunting harder 

Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets.

SMTP smuggling is a technique that allows an attacker to send an email from pretty much any address they like. The intended goal is email spoofing—sending emails with false sender addresses. Email spoofing allows criminals to make malicious emails more believable.

Let’s take a closer look at what it is exactly, and how cybercriminals can use it.

The first thing we need to look at is the Simple Mail Transfer Protocol (SMTP), a protocol that allows the exchange of emails. Mail servers and other message transfer agents use SMTP to send and receive mail messages.

SMTP is very much a protocol that has developed over time since it became the standard for always-online servers in the 1980s.

Basically, an email is written using software like Microsoft Outlook or Apple Mail and is then handed over to an SMTP server. The server looks up the appropriate mail server for the domain in the recipient’s address—the part on the right side of the @ symbol, and sends the mail to that server.

It sometimes takes a few steps, but if all goes well the email will be received by the SMTP server that handles the mail for the recipient. This server may deliver the messages directly to storage, or forward it over a network using SMTP before it reaches the recipient.

Simplified, the process looks like this:

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Since SMTP lacks authentication it used to be extremely easy to spoof a sender address. Several safeguards emerged to stop this:

*   SPF (Sender Policy Framework): This uses DNS records to indicate to receiving mail servers which IP addresses are authorized to send mail for a given domain. So this still leaves the work to the receiving server.
*   DKIM (Domain Key Identified Mail): This method signs outgoing emails using a private key. Receiving servers validate the sender using the sending server’s public key,.
*   DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC verifies if the email’s “From” domain aligns with SPF checks and/or DKIM signatures. Thus, the DMARC check fails if there is a mismatch between the MAIL FROM and the From domain where otherwise the SPF check would pass. Unfortunately DMARC is not very widely used.

**SMTP smuggling**

SMTP smuggling takes advantage of inconsistencies in the way that proxy servers and firewalls handle SMTP traffic.

Traditionally, the end of data in an SMTP conversation is indicated by a sequence <CR><LF>.<CR><LF> (CR LF stands for Carriage Return and Line Feed, which are standard text delimiters) which can also be written as \r\n.\r\n.

Researchers published about two types of SMTP smuggling, inbound and outbound. They started working from the question, what happens if outbound and inbound SMTP servers interpret the end-of-data sequence (<CR><LF>.<CR><LF>) differently?

If you can tell one server the email ends here and the other one that the full packet ends later, you can create a compartment in which you can smuggle more data.

So, the researchers started testing by putting a <LF>.<LF>  sequence in the middle of sent packages. And they found that outbound SMTP servers have different methods of dealing with it, including:

*   Dot-stuffing (Escaping the single dot with another dot):  <LF>..<LF> 
*   Replacing it with a <CR><LF> 
*   Encoding it (e.g., via quoted-printable): =0A.=0A 
*   Removing the entire sequence 
*   Not sending the message 
*   Or do nothing at all

By testing, which included sending specially constructed messages from and to different email providers, the researchers were able to find combinations that allowed them to send two email messages in one package. The sequence <LF>.<CR><LF> turned out to be effective on a custom SMTP server called NemesisSMTPd which is in use by email services provided by Ionos (e.g. GMX) which accounts for about a million hosted domains.

Image courtesy of SEC Consult

Some vendors (Microsoft and GMX) were quick to fix the vulnerabilities that facilitated SMTP smuggling, but the researchers urge companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration. The Cisco flaw affects more than 40,000 vulnerable instances and allows an attacker to send spoofed emails to high-value targets, such as Amazon, PayPal, eBay, and the IRS.

The recommendation by the researchers tells organizations using Cisco Secure Email Gateway (on premises) or Cisco Secure Email Cloud Gateway (cloud) to change the default settings of “CR and LF Handling” from “Clean” to “Allow,” citing Cisco guidelines to help administrators understand the change that should be made.

That may sound counterproductive, but this setting passes e-mails with bare carriage returns or line feeds on to the actual e-mail server (Cisco Secure Email Gateway is just a gateway), which only interprets <CR><LF>.<CR><LF> as end-of-data sequence. So, if you don’t want to receive spoofed e-mails with valid DMARC checks, we highly recommend changing your configuration.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Explained: SMTP smuggling 

Facebook has announced it will roll out a new option called Link History to mobile users around the world. What does that mean?

In what seems like yet another attempt to adapt its platform to prepare for new regulations, Facebook has started rolling out a new feature called Link History.

Link History allows users to view and re-visit links they have visited with their Facebook browsing activity.

Obviously Facebook will tell us that the new feature is for its users’ benefit, but we can see several ways in which this benefits Meta even more. The only positive for me is that it could be a handy option for finding that thing that you saw on Facebook that one time, but you can’t quite remember the details. This gets defeated partially by the fact that users that have Link History enabled report they were unable to see the Link History page at all when looking at Facebook on their laptop.

However, as Facebook tracking goes at least this is an option that you have some control over. On most, if not all, popular websites you’ll find Meta’s and other’s tracking pixels. With an ongoing battle against cookies and other trackers, this may be a new way for Facebook to track its user’s behavior.

With Link History, Facebook now has another separate place where it stores details about the websites you visit along with the settings to control that data. Settings that are, deliberately or not, hard to find and easy to misinterpret.

The company itself says:

> “When you allow link history, we may use your information to improve your ads across Meta technologies.”

Translated, this means that they will use the information to provide you with targeted ads.

Recently Meta got sued over coercing users to pay to stop tracking. Organizations concerned about our privacy say that by doing this, Meta has changed the user’s choices from “yes or no” to “pay or okay.”

Research in 2022 showed that in-app browsers inject JavaScript code into third party websites that cause potential security and privacy risks to the user. This resulted in a class-action complaint against Meta in San Francisco’s federal court, alleging the company built a secret workaround to Apple’s safeguards that protect iPhone users from tracking.

So this may be another attempt to follow users around on the web. Unlike on your desktop, clicking a link in Facebook, or Instagram, will open a special browser built into the app, rather than the default browser of the device.

For now, a limited number of Android and iPhone users will see this option appear in the Facebook Mobile Browser. But the company says it will roll out the option globally over time.

**How to turn link history on or off**

Link history is turned on by default so you will have to opt-out if you don’t want it.

1.  Tap any link inside the Facebook app to open Facebook’s Mobile Browser.
2.  Tap the three dots (more actions) in the bottom right, then tap **Go to Settings**.
3.  To turn link history on, tap the slider to on (blue) next to **Allow link history**, then tap **Allow** to confirm.
4.  To turn link history off, tap the slider to off (grey) next to **Allow link history**, then tap **Don’t allow** to confirm. 

**Note**: When you turn link history off, this will immediately clear your link history, and you will no longer be able to see any links you’ve visited. Facebook promises to delete the link history it’s created for you within 90 days.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Facebook introduces another way to track you &#8211; Link History 

23andMe has responded in a letter to legal representatives of data breach victims that they were to blame themselves for re-using passwords

In a surprising move, in a letter to legal representatives of victims of the recent 23andMe data breach, the company has laid the blame at the feet of victims themselves.

23andMe even goes as far as to claim that this wasn’t a data breach at 23andMe at all. The reasoning:

> “… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

In other words, it was their own fault since they re-used their passwords for services that were breached in the past. Accessing accounts on a website by using lists of usernames and passwords exposed on another is known as “credential stuffing”, and it’s both common and effective. It works because users often use the same password for multiple websites.

What 23andMe seems to have forgotten is that only 14,000 accounts were breached by credential stuffing. Afterwards, the attackers used those accounts to access a much larger trove of data via 23andMe’s feature called DNA Relatives which matches users with their genetic relatives.

So, in what was only made possible by 23andMe, customers who didn’t re-use their passwords and even had 2FA enabled still saw their data stolen. This resulted in the data of as many as seven million 23andMe customers being offered for sale on criminal forums.

It’s the second time the company has attempted to downplay the incident. In its first communication about the incident, 23andMe claimed the stolen data did not include genomic sequencing data.  Later, the company acknowledged that for a subset of these accounts, the stolen data might indeed contain health-related information based upon the user’s genetics.

The data in a file found by BleepingComputer contained information including 23andMe users’ account IDs, full names, sex, date of birth, DNA profiles, location, and region details.

As a result, at least four class action complaints were submitted in California seeking relief for the damage done by 23andMe’s failure to protect customer data. The lawsuits focus on different failures on 23andMe’s side to guard the safety of sensitive data, communicate appropriately about the incident, and monitor its network for abnormal activity.

In its defense, 23andMe reasons that customers re-used their passwords, gave permission to share data with **other users** on 23andMe’s platform, and that the medical information was non-substantive.

I put the emphasis on “other users” in order to point out a flaw in 23andMe’s reasoning—agreeing to share with other users is hardly the same as agreeing to share with a data thief. Without knowing the exact details of what happened, we feel that monitoring would indeed have raised alerts about abnormal activity and allowed them to stop the breach earlier. As it seems now, 23andMe only became aware of a problem when someone offered the data up for sale.

Whatever the judges may decide in the end, it’s looking like 23andMe has shown a lot of disregard for its customers’ privacy and the level of sensitivity of the data.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.**Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 23andMe blames &#8220;negligent&#8221; breach victims, says it’s their own fault 

Microsoft decided to disable App Installer links by default after it noticed several access brokers using the handler to spread malware.

In what might be conceived as one of Microsoft’s new year resolutions, it has disclosed that it’s turned off the ms-appinstaller protocol handler by default. The change is designed to make installing apps easier, but it also makes installing malware easier.

Typically, an app needs to be on a device before it can be installed, which normally means that a user has to download it first. To save time and disk space, Microsoft introduced the ability to install applications directly from a web server, without downloading it first. It relies on links that use the ms-appinstaller URI (Uniform Resource Identifier) scheme, which are handled by App Installer rather than a web browser. When software is installed this way users don’t see SmartScreen or browser warnings about downloaded executables.

Microsoft reports that it observed malicious activity where criminals tricked users into installing malware using ms-appinstaller links, allowing them to bypass mechanisms like SmartScreen that are designed to keep users safe.

Several cybercriminals were found selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. They distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.

The abuse was first noticed in November 2023. Several known groups were using it in different scenarios, all of which lead users to landing pages that mimicked legitimate software vendor sites, where the malware was available via ms-appinstaller links or malicious MSIX installers.

Cybercriminals used four different techniques to spread their malware:

*   **SEO poisoning**. Users who searched for legitimate software applications on Bing or Google were presented with search results for malicious landing pages.
*   **Malvertising**. Users searching for software were directed to malicious landing pages via search ads mimicking legitimate vendors.
*   **Teams messages**. Users were sent messages over Microsoft teams linking to malicious landing pages.
*   **Social engineering**. Microsoft showed an example of an employement opportunity site that tricked visitors into installing malware by saying it was a new PDF reader version that was required in order to view a document.

The criminal groups identified as using these methods were all initial access brokers (IABs). IABs are individuals or organizations that specialise in providing ransomware gangs with access to company networks.

Malicious installers can be spotted by looking at the publisher information in the ms-appinstaller prompt.

Image courtesy of Microsoft

To manually disable ms-appinstaller on your network, set the Group Policy EnableMSAppInstallerProtocol to disabled.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft disables ms-appinstaller after malicious use 

Europols’s spotlight report ‘Online fraud schemes: a web of deceit’, identifies investment fraud as a major threat.

Europols’s spotlight report ‘Online fraud schemes: a web of deceit’, looks into online fraud schemes—a major crime threat in the EU and beyond—and one of the report’s primary themes is investment fraud.

But first I want to share some more remarkable conclusions from the report:

*   Charity scams that prey on concern about international conflicts and natural disasters are becoming more prevalent.
*   Fraudsters are evolving their techniques and increasingly re-target fraud victims.
*   The social engineering techniques used by fraudsters are growing in complexity.
*   Logical attacks on ATMs still occur in the EU, with criminal networks testing ways to exploit new vulnerabilities.
*   It also notes the increasing use of “shimming” attacks where an attacker intercepts communication between a card and card reader’s chip interface, and then relays it to another device.

Investment fraud and business e-mail compromise (BEC) fraud remain the most prolific online fraud schemes. Criminal networks involved in these schemes pose a high threat, given their level of organization and resilience. This conclusion matches that of the 2022 Internet Crime Report produced by the FBI’s Internet Crime Complaint Center (IC3), which attributed almost $84 million dollars to BEC and over $75 million to investment fraud.

Europol found that criminal networks involved on investment fraud show great levels of adaptability by constantly refining and improving their methods and leveraging new investment products that are in high demand.

Preying on one of the most basic human flaws, investment scams and other get-rich-quick schemes are making up an ever larger portion of the online scammers’ cake. And the scammers are very much aware that a large amount of money can be made, and they are more than willing to invest in the tools that make their fraud look more trustworthy.

Investment fraudsters look for victims on social media platforms. But they also use e-mail, advertisements on websites, and instant messaging to trigger a potential victim’s interest. When a victim starts to ask questions, the criminals come up with reasons why funds can’t be withdrawn, such as fees or state taxes. To top things off, they will tell the victim they need more money in order to release their funds.

Criminal networks involved in investment fraud make extensive use of call centers. These call centers operate in different languages and the operators are not necessarily aware of the criminal activities behind the work they do.

One of the preferred tactics of investment fraud is the pyramid scheme, where victims are encouraged to recruit more participants. But another method resembles that of romance scams where the criminal builds a relationship with the victim.

Popular investment opportunities offered by the criminals include stocks, cryptocurrencies, and pension funds. The most reported investment fraud products in the EU are cryptocurrencies. The IC3 report mentions for example:

> “Cryptocurrency support impersonators: Increasingly, crypto owners are falling victim to scammers impersonating support or security from cryptocurrency exchanges. Owners are alerted of an issue with their crypto wallet and are convinced to either give access to their crypto wallet or transfer the contents of their wallet to another wallet to “safeguard” the contents.”

To re-target victims the criminals pose as lawyers or members of law enforcement claiming they can help victims to get the lost money back.

**Recognizing investment scams**

We are by no means financial experts, but we have seen too many good people lose money on Ponzi schemes, rug-pulls, and fake Initial Coin Offerings (ICOs), so we feel it is our job to keep you safe, and warn against these types of online investment frauds.

We realize that it is hard to tell investment scams apart from some of the more legitimate offers that are thrown at us in commercials every day. But we do want to hand you a few easy-to-follow rules to keep your money in your own hands:

*   Treat calls, texts, mails, and other advice out of the blue with extreme caution.
*   Don’t judge a book by its cover. Investment scams can often afford to look good.
*   Make sure to read the fine print. Understand what you are getting into.
*   If it sounds too good to be true, it usually isn’t true.
*   Very high returns usually come with extremely high risks. Your money may sometimes even be better off in a casino.
*   When you are urged to act now, remember that while _some_ legitimate opportunities want you to hurry, scammers _always_ want you to hurry.
*   Don’t get turned into a money mule or money launderer.

Still not convinced? I have this piece of land on Venus, that I would be willing to part with for the right price. But you will need to act fast.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Investment fraud a serious money maker for criminals 

Researchers have found a flaw in the Black Basta ransomware encryption algorithm, allowing decryption of some files.

Researchers at SRLabs have made a decryption tool available for Black Basta ransomware, allowing some victims of the group to decrypt files without paying a ransom. The decryptor works for victims whose files were encrypted between November 2022 and December 2023.

The decryptor, called Black Basta Buster, exploits a flaw in the encryption algorithm used in older versions of the Black Basta group’s ransomware. The bug was fixed by the group in mid-December, probably as a result of the discovery, so it won’t work on the most recent attacks.

During the period the decryptor works for, the gang was responsible for 153 known attacks (attacks where the victim did not pay a ransom and appeared on Black Basta’s dark web data leak site).

BlackBasta first appeared in April 2022 and is a regular entry in the top 5 most active ransomware groups in our monthly ransomware reviews. Among others, the ransomware has been used to attack organizations like Canada’s Yellow Pages and German arms producer Rheinmetall.

Known Black Basta attacks, December 2022 – November 2023

The decryptor comes with a few restrictions due to the nature of the flaw it exploits.

On its Github page for Black Basta Buster, SRLabs explains:

> “Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

**So, how do you recover your files?**

The decryptor only works on one file at a time and your best chances are on virtual machine disks. According to SRLabs, virtualised disk images “have a high chance of being recovered, because the actual partitions and their filesystems tend to start later. So the ransomware destroyed the MBR or GPT partition table, but tools such as “testdisk” can often recover or re-generate those.”

Files can be recovered if the plaintext of 64 encrypted bytes is known. The easiest way to establish this is to find a sequence of zeroes in the file. It may be possible to decrypt large files that don’t contain large enough chunks of zero-bytes, but you will need an unencrypted version of the target file. In many cases this will defeat the purpose of decryption, but there may be are edge cases where you have a previous version of the target file that meets the requirements, but does not hold the information you want to decrypt.

On the Github pages you will find several python scripts to help you with the recovery of the encrypted files. Interested parties can find instructions on how to use them in the readme file. This is not an easy process and certainly not something we would recommend using for every encrypted file. Each victim will need to weigh up how useful it is to them.

BleepingComputer reports that some digital forensics companies may have been aware of the flaw and have been assisting clients for months in recovering important files, similar to the way the FBI offered decryption keys to Hive victims after penetrating its computer networks. They may have done the same for ALPHV victims, but this is unconfirmed.

Obviously, it’s better to avoid malicious encryption if you can, so here are some pointers.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Oops! Black Basta ransomware flubs encryption 

This week on the Lock and Code podcast, we speak with Suzanne Bernstein about  DNA privacy and protecting data from hackers.

_This week on the Lock and Code podcast…_

Hackers want to know everything about you: Your credit card number, your ID and passport info, and now, your DNA.

On October 1 2023, on a hacking website called BreachForums, a group of cybercriminals claimed that they had stolen—and would soon sell—individual profiles for users of the genetic testing company 23andMe.

23andMe offers direct-to-consumer genetic testing kits that provide customers with different types of information, including potential indicators of health risks along with reports that detail a person’s heritage, their DNA’s geographical footprint, and, if they opt in, a service to connect with relatives who have also used 23andMe’s DNA testing service.

The data that 23andMe and similar companies collect is often seen as some of the most sensitive, personal information that exists about people today, as it can expose health risks, family connections, and medical diagnoses. This type of data has also been used to exonerate the wrongfully accused and to finally apprehend long-hidden fugitives.

In 2018, deputies from the Sacramento County Sherriff’s department arrested a serial killer known as the Golden State Killer, after investigators took DNA left at decades-old crime scenes and compared it to a then-growing database of genetic information, finding the Golden State Killer’s relatives, and then zeroing in from there.

And while the story of the Golden State Killer involves the use of genetic data to _solve_ a crime, what happens when genetic data is _part_ of a crime? What law enforcement agency, if any, gets involved? What rights do consumers have? And how likely is it that consumer complaints will get heard?

For customers of 23andMe, those are particularly relevant questions. After an internal investigation from the genetic testing company, it was revealed that 6.9 million customers were impacted by the October breach.

What do they do?

Today on the Lock and Code podcast with host David Ruiz, we speak with Suzanne Bernstein, a law fellow at Electronic Privacy Information Center (EPIC) to understand the value of genetic data, the risks of its exposure, and the unfortunate reality that consumers face in having to protect themselves while also trusting private corporations to secure their most sensitive data.

“We live our lives online and there’s certain risks that are unavoidable or that are manageable relative to the benefit that a consumer might get from it,” Bernstein said.

> “Ultimately, while it’s not the consumer’s responsibility, an informed consumer can make the best choices about what kind of risks to take online.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 DNA data deserves better, with Suzanne Bernstein: Lock and Code S05E01 

A list of topics we covered in the week of December 25 to December 31 of 2023

December 29, 2023 - Ransomware gangs don't always win, and when they don't, it feels pretty great.

December 27, 2023 - We look at the three most common methods that ransomware groups use to avoid being detected.

December 26, 2023 - Cybercriminals now have AI to write their phishing emails, which might well improve their success rates. Here's what to watch out for.

December 25, 2023 - A list of topics we covered in the week of December 18 to December 24 of 2023

December 21, 2023 - Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.

Source

Malwarebytes