Cachet Financial Reeling from MyPayrollHR Fraud

When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.

But on Oct. 23 — less than 24 hours before another weekly payroll rush — Pasadena, Calif.-based Cachet threw much of its customer base into disarray when it said its bank was no longer willing to risk another MyPayrollHR debacle, and that customers would need to wire payroll deposits instead of relying on the usual method of automated clearinghouse (ACH) payments (essentially bank-to-bank checks).

Cachet processes some $150 billion in payroll payments annually for more than 110,000 employers. But payroll experts say this week’s actions by Cachet’s bank may well soon put the 22-year-old company out of business.

“We apologize for the inconvenience of this message,” reads the communication from Cachet that went out to customers just after 6:30 PM ET on Oct. 23. It continued:

“Due to ongoing fraud protocol with our bank, they are requiring pre-funding via Direct Wire for all batches that were uploaded this week, unless employees were already paid or tax payments were already transmitted. This includes all batch files moving forward.”

All files that were uploaded today for collection and disbursement will not be processed. In order to process disbursement, we will need to receive a wire first thing tomorrow in order to release the disbursements.

All collections that were processed prior to today will be reviewed by the bank and disbursements will be released once the funds are cleared. Credit trans

Deadline for wires is 1 P.M. PST.

This will be the process until further notice. If you need a backup processor, please contact us.

If you require wire instructions, please respond to this email and they will be sent to you.

We welcome and anticipate your phone calls and inquiries. We remain committed to our clients and are determined to see this through. We appreciate and thank you for your patience and understanding.”

In a follow-up communication sent Thursday evening, Cachet said all debit transactions with a settlement date of Oct. 23 had been processed, but that any transactions uploaded after Oct. 23 were not being processed at all, and that wires are no longer being accepted.

“If they aren’t taking money, they’re out of business,” Friedl said of Cachet.

Cachet’s financial institution, Wilmington, Del. based The Bancorp Bank (NASDAQ: TBBK), did not respond to requests for comment.

Cachet also did not respond to requests for comment. But in an email Thursday evening, the company sought to offer customers a range of alternatives — including other providers — to help process payrolls this week.

Steve Friedl, an IT consultant in the payroll service bureau industry, said the Cachet announcement has sent payroll providers scrambling to cut and mail or courier paper checks to client employees.  But he said many payroll providers also use Cachet to process tax withholdings for client employees, and that this, too, could be disrupted by the funding changes.

“There’s a lot of same day stuff that goes on in the payroll industry that depends on people being honest and having money available at certain times,” Friedl said. “When that’s not possible because a bank in that process says it doesn’t want to be stuck in the middle that can create problems for a lot of people who are then stuck in the middle.”

Another payroll expert at a company that uses Cachet but who asked not to be named said, “everyone I know at payroll providers is scrambling to get it done another way this week” as a result of the decision by Cachet’s bank.

“Those bureaus will do whatever they can to keep their clients happy because something like this can quickly put them out of business,” the source said. “Unlike what happened with MyPayrollHR — which harmed consumers directly — the payment service bureaus are the ones potentially getting hurt here.”

Most corporate payroll is handled through ACH transactions, a system that allows financial institutions to push and pull funds to and from checking accounts between banks. ACH is essentially the same thing as writing a check for a good or service, and it typically involves an element of trust because there is a time delay (24-48h) between which the promised funds are released to the receiving bank and the funds are made available to the recipient.

In contrast, a wire transfer takes minutes and the funds are made available to the recipient almost immediately. Wires are also far more expensive for customers, and they earn banks hugely profitable processing fees, whereas ACH transaction fees are minuscule by comparison.

Ultimately, banks may decide that for certain clients they no longer wish to assume the risk of fraudsters exploiting the float period for ACH transactions to steal tens of millions of dollars, as was the case in the MyPayrollHR fiasco.

It’s worth noting that the MyPayrollHR fraud wasn’t the first time Cachet has been tripped up by the demise of a payroll company: In 2016, the collapse of Monterey, Calif. based payroll processor Pinnacle Workforce Solutions left Cachet holding the bag for more than $1 million. Cachet sued to recover the money stuck in Pinnacle’s frozen accounts. From The Monetery County Weekly:

“Cachet’s lawyers also outline possible nefarious action by Pinnacle. ACH companies act as middlemen for processing payroll and other large transactions. Every pay period, Pinnacle would send Cachet a coded file to tell the ACH how to distribute funds. But, on Sept. 21 [2016] Pinnacle had manipulated the code sent to Cachet so the money collected from its clients went directly to Pinnacle instead of being held in the ACH account before being distributed to its clients’ employees, the suit alleges.”

It will be interesting to see how long the fallout from the MyPayrollHR episode will last and how many other firms may get wiped because of it. Shortly after MyPayrollHR closed its doors last month and disappeared with $35 million in payroll and tax payments, the company’s 49-year-old CEO Michael Mann was arrested and charged with bank fraud.

The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019. The Times Union reports that Mann and his company are now being sued by Pioneer Bank and a large insurance company over a $42 million loan it gave to Mann and his companies just a month before his payroll business closed up shop.

7 Lessons Every CISO Can Learn From the ANU Cyber Attack

During November of last year, a highly-skilled — possibly nation state threat actor — penetrated the network of the Australian National University. The dwell time, or length of time the attacker went undetected, was around six weeks. Afforded such an extensive period of time, the actor engaged in lateral movement activities, downloaded bespoke malware, conducted further spearphishing campaigns and exfiltrated an unknown amount of data from a possible 19-year treasure trove of records from Human Resources, financial management and student administration. The details of the attack, discovered in June of this year, have recently been published by the university’s Office of the Chief Information Security Officer. In this post, and based on their thorough report, we review the major lessons every CISO can learn from the ANU cyber attack.

image of 7 lessons from ANU attack

1. Don’t Wait Till It’s Too Late | Replace Legacy AV

Without doubt the most startling lesson for CISOs from the ANU breach is that you cannot wait to update your security if you want to match and defeat the skills of today’s threat actors. 

ANU: “The actor was able to, in several cases, avoid detection by altering the signatures of more common malware used during the campaign. Also, the malware and some tools were assembled inside the ANU network after a foothold had been established. This meant that the downloaded individual components did not trigger the University’s endpoint protection.”

The old legacy AV suites that ANU had been using up until last year were no match for the attacker. Indeed, such systems are regularly bypassed by red team engagements, and bypasses are widely known and traded on hacker forums. Legacy AV suites afford very little protection against anything other than accidental or amateur intrusion attempts and need to be replaced as quickly as possible. 

2. Phishing Is King | Block Bad Behavior, Not Users

Users will always be susceptible to phishing and spearphishing attacks. Enterprises need to stop relying on human behavior to recognize phishing campaigns and instead rely on machine learning to detect and block malicious behaviour on endpoints.

ANU: “The actor’s campaign started with a spearphishing email sent to the mailbox of a senior member of staff. Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This “interaction-less” attack resulted in the senior staff member’s credentials being sent to several external web addresses.”

image of ANU phishing email

Let’s not blame the user, but there’s a reason why phishing was used in the ANU attack and is by far the most common attack vector. People, unlike computers, need to get things done. But the attacker, like the victim, is also a human and to reach their objectives, the tools, tactics and procedures they use to achieve those objectives can be modelled behaviorally.

A no-interaction phishing email raises interesting and worrying questions. In an attempt to protect the public by not going into details that could help other threat actors, ANU have not released details of how that worked. Possibilities include leveraging the loading of remote content, unpatched email client software or perhaps a zero day vulnerability in either that software or the operating system itself. 

The lesson here is that phishing awareness training and other user-level safeguards would not have helped protect the organization against the initial spearphishing attack. That means the importance of a security solution that can recognize and alert on malicious execution regardless of whether the process is trusted or not is the only sure way to deal with the phishing threat.

3. Make the Invisible, Visible | Know Your Network

Understanding what is connected to your network is vital. In the ANU attack, the threat actor sought out and found little-known network devices that had fallen outside of the organization’s security audits.

ANU: “The actor built a shadow ecosystem of compromised ANU machines, tools and network connections to carry out their activities undetected. Some compromised machines provide a foothold into the network. Others, like the so-called attack stations, provided the actor with a base of operations to map the network, identify targets of interest, run tools and compromise other machines.”

image of ANU attack overview

With a vast organization spanning multiple sites and multiple sub-networks, the only effective solution is to ensure you can map the network, and fingerprint devices in such a way that you can not only determine what is connected, but also what is unprotected. Many current network mapping solutions have implementation issues such as consuming too much in the way of resources or requiring “noisy” additional mapping devices. Consider a solution that uses your existing security infrastructure without adding on top another layer of burden.

4. Knock, Knock, Who’s There? | Enforce 2FA & Multi-FA

No matter how strong your password, or how frequently you change it, simply relying on only what someone knows without the supporting evidence of something the authorized user possesses is always going to present an opportunity to attackers.

ANU: “Forensic evidence also shows the extensive use of password cracking tools at this stage. The combination of the bespoke code and password cracking is very likely to have been the mechanism for gaining access to the above administrative databases or their host systems.”

With the almost universal use of smartphones among employees these days, linking account access to authentication through an additional device should be standard practise in the modern enterprise. Though neither foolproof nor always convenient, 2FA with time-limited OTPs delivered through mobile Authenticator apps will secure accounts from most simple credential stuffing and other password hijacking attempts. For even stricter control, consider hardware authentication devices such as YubiKey and similar where appropriate.

5. Mind The Traffic | Use Endpoint Firewall Control

Without policies to control what kinds of traffic you want an endpoint to allow and disallow, attackers will have an opportunity to exfiltrate data at will once they have compromised an endpoint.

ANU: “The actor used a variety of methods to extract stolen data or credentials from the ANU network. This was either via email or through other compromised Internet-facing machines.”

Effective endpoint Firewall controls can block unauthorized transfer of data to and from all your endpoints, both on and off the corporate network. In the ANU attack, the threat actor manipulated a commercial tool to query multiple databases, extract records and then exfiltrate the data by sending it to another machine on the network in PDF file format. 

Deploying firewall controls allows you to reduce the risk of this kind of data leakage by setting explicit policies that either allow or disallow particular kinds of traffic from the endpoint. Such policies could have prevented the kind of unauthorized data transfers as used in the ANU breach.

6. Pick Off Low-Hanging Vulns | Patch For The Win

Patching is a time-honored security defensive measure, but it’s becoming increasingly important with vulnerabilities like BlueKeep and Eternalblue now on the loose.

ANU: “The actor also gained access (through remote desktop) to a machine in a school which had a publicly routable IP address. Age and permissiveness of the machine and its operating system are the likely reasons the actor compromised this machine.”

Threat actors have the tools to scan for and exploit vulnerabilities in legacy OS like Windows 7 and unpatched Windows 10, Linux and macOS machines. While many departments struggle to replace ageing hardware and software for either operational or budgetary reasons, those departments will remain vulnerable to various threat actors, from cyber criminals motivated by finance to Advanced Persistent Threat groups who may just be hoovering up as much intel as possible while they can.

7. Console Your Clients | Log Devices Remotely 

A good security posture requires not just knowing what is happening on your devices but what happened in the past. Logging device activity to a secure remote location is essential for both threat hunting and incident response.

ANU: “The actor exhibited exceptional operational security during the campaign and left very little in the way of forensic evidence. Logs, disk and file wipes were a recurrent feature of the campaign.”

The ANU’s incident response team did a great forensic investigation after-the-fact, but they were hampered by the deletion of logs on vulnerable machines. Modern endpoint detection and response should be backed by a centralized device management console where admins and security teams can access logs from all endpoints regardless of what actions are taken on a device locally. 

Similarly, with the correct solution in place such as a tamper-proof agent installed on the local device, the attackers bespoke tools and malware would also have triggered an alert based on their malicious behaviour, regardless of whether they were unknown to signature detection engines that rely on reputation.

Conclusion

The ANU are to be congratulated for making public their detailed Incident Response report. It’s to be hoped that other organizations that suffer breaches take note. Only through this kind of transparency can we share knowledge of how attackers adapt and evade enterprise and organizational security.

ANU weren’t without defenses, and they weren’t without resources. There are many organizations just like them both in the public and private sector. Attackers long ago learned how to defeat the old AV Suite solutions of the past, and that message is something that the ANU report makes clear. A combination of legacy hardware, software and an opaque network structure played into the threat actor’s hands. It is incumbent on us all to learn these lessons and to raise the bar for attackers in light of this report.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Bill McDermott aims to grow ServiceNow like he did SAP

Bill McDermott has landed. Two weeks ago, he stepped down as CEO at SAP after a decade leading the company. Yesterday, ServiceNow announced that he will be its new CEO.

It’s unclear how quickly the move came together but the plan for him is clear: to scale revenue like he did in his last job.

Commenting during the company’s earning’s call today, outgoing CEO John Donahoe said that McDermott met all of the board’s criteria for its next leader. This includes the ability to expand globally, expand the markets it serves and finally scale the go-to-market organization internally, all in the service of building toward a $10 billion revenue goal. He believes McDermott checks all those boxes.

McDermott has his work cut out for him. The company’s 2018 revenue was $2.6 billion. Still, he fully embraced the $10 billion challenge. “Well let me answer that very simply, I completely stand by [the $10 billion goal], and I’m looking forward to achieving it,” he said with bravado during today’s call.

It’s worth noting that as the company strives to reach that lofty revenue goal in the coming years, it will be doing with a new CEO in McDermott, as well as a new CFO. The company is in the midst of a search to fill that key position, as well.

McDermott has been here before though. He points out that in the decade he was at SAP, under his leadership the company moved the market cap from $39 billion to $163 billion. Today, ServiceNow’s market cap is similar to when McDermott started at SAP at a little over $41 billion.

He also recognizes that this is going to be a new challenge. “I’ve seen a lot of different business models, and [SAP has] a very different business model than ServiceNow. This is a pure play cloud,” he said. That means as a leader, he says that has to think about product changes differently, how they fit in the overall platform, while maintaining simplicity and keeping the developer community in mind.

Ray Wang, founder and principal analyst at Constellation Research said that ServiceNow is at a point where it needs an enterprise-class CEO who understands tech, partnerships, systems integrators and real enterprise sales and marketing — and McDermott brings all of that to his new employer.

Demodesk scores $2.3M seed for sales-focused online meetings

Demodesk, an early-stage startup that wants to change how sales meetings are conducted online, announced a $2.3 million seed investment today.

Investors included GFC, FundersClub, Y Combinator, Kleiner Perkins and an unnamed group of angel investors. The company was a member of the Y Combinator Winter 2019 cohort.

CEO and co-founder Veronika Riederle says that the fact it’s so closely focused on sales separates it from other more general meeting tools like Zoom, WebEx or GoToMeeting. “We are building the first intelligent online meeting tool for customer-facing conversations. So that is for inside sales and customer service professionals,” Riederle explained.

One of the key pieces of technology is what Riederle calls “a unique approach to screen sharing.” Whereas most meeting software involves downloading software to use the tool, Demodesk doesn’t do this. You simply click a link and you’re in. The two parties online are seeing a live screen and each can interact with it. It’s not just a show and tell.

What’s more, in a sales scenario with a slide presentation, the customer sees the same live screen as the salesperson, but while the salesperson can see their presentation notes, the customer cannot.

She said while this could work for any number of scenarios, from customer service to IT Help desks, at this stage in the company’s development she wants to concentrate on the sales scenario, then expand the vision over time. The service works on a subscription model with tiered per user pricing starting at $19 per user, per month.

When they got to Y Combinator, the company already had a working product and paying customers, but Riederle says the experience has helped them grow the business to moew than 100 customers. “YC was extremely important for us because we immediately got access to an extremely valuable network of founders and potential customers, and also just a base for us to really [develop] the business.

Riederle founded the company with CTO Alex Popp in 2017 in Munich. Prior to this seed round, the founders mostly bootstrapped the company. With the $2.3 million, it should be able to hire more people and begin building out the product further, while investing in sales and marketing to expand its customer base.

Behind Enemy Lines | Looking into Ransomware as a Service (Project Root)

Ransomware-as-a-Service (RaaS) offerings have been a staple of the “underground” for many years now. From TOX to SATAN to Petya and beyond, we have seen services continue to appear and thrive. Often times they are short-lived, but that is not always the case. Services like DataKeeper and Ranion have been available for over two years now. These ‘services’ are an attractive way for enterprising criminals to create, distribute, and manage their ransomware (and subsequent profits) with almost no barrier to entry. That is, they require zero prior coding or development knowledge. They also offer instant results and are cheap to launch. Typically, these services either require an “up front” payment or a share of the profits once the victims pay. In this post, we take a journey into the dark web and explore a new RaaS offering that appeared for the first time earlier this month known as ‘Project Root’.

image project root

Ransomware As A Service: Meet Project Root

We recently came across a new offering known as ‘Project Root’. This service, like many others, requests a low, “up front” fee to get started. From there, clients can generate ransomware binaries on-demand. Both Windows and Linux are supported (for 32-bit and 64-bit architectures). 

image of project root site

Project Root payloads are written in Golang, and thus resemble previous (similar) threat families like LockerGoga. Payloads written in Golang are often able to bypass both traditional signature-based detection as well as some static machine-learning detection engines given how few samples (and therefore extractable features) are found in the wild.

image of project root banner

Project Root: How Much Does It Cost?

Project Root is available in two versions. The ‘standard” version (initially) costs $150 USD up front, payable in bitcoin (BTC), and allows for unlimited generation of “basic” payloads via their portal, along with the management and key distribution components. Updates to this version are ‘free’ for 6 months. Over the course of the last two weeks, the standard version price has fluctuated between $50 and ‘Free’. A “Pro” version exists which

allows for better ‘support , longer term of free updates, and increased evasion options. Buyers will also have full access to the source code for increased “customization options”.’

image of project root pro

The “Pro” version has been advertised all along but appears to have officially “launched” as of October 17th.

image of project root price plans

How To Build Ransomware Binaries

For users of the service, building binaries is very straightforward. The RaaS customers need only specify the desired architecture (x86 or x64) along with the platform (Linux or Windows). It should be noted that an Android version is promised for the future. Along with the above options, the user needs to supply a contact email address for the victim, along with a customized recovery key associated with the campaign.

image of project root builder window

image of project root win binary

This builder interface is also used to access specific decrypters for either Linux or Windows platforms (also provided in x86 and x64 varieties)

image of project root decrypter menu

The “How to Use” section also serves as the service’s FAQ section. While seemingly straightforward, it does reveal that the actor behind this is most likely not a native English speaker.

image of project root FAQ

Teething Trouble or Scamming the Scammers?

It is also interesting to note that until recently (on or around October 14th), the ransomware payloads we analyzed did not work. All the samples we investigated prior to October 14th did not proceed past the initial execution phase. No further activity occurs and the victim’s files are not encrypted. This was true across x86 and x64 samples. This is an interesting phenomenon that maybe does not get enough attention. All malware authors have a varying degree of skill, and their ability to ‘QA test’ their creations is equally idiosyncratic. It is possible that, during the early stage of the service’s launch, they were still working out kinks. Despite that, it appears that the service was happy to continue ‘selling stuff” and accepting payments from hopeful criminals.

There is quite a large ‘scam the scammer” market on the ‘Deep Web’ and other dark corners of the threat landscape. There are scammers out there that deliberately target lesser-skilled scammers to make a quick buck. There are many examples of this in recent history (Aspire Crypter and INPIVIX RaaS come to mind).  Also, for every ‘legitimate’ service, there are dozens or more clones/phish sites that just serve to mine credentials, account data, and more. Even the relatively well-known ransomware services like DataKeeper, Ranion, and MegaCortex are shadowed by a confusing vortex of copy-cat sites which blur the line between the scammy sites and the legit services.  

When we first encountered these executables, and located the corresponding portal for the RaaS service, this was our first thought. However, it turns out, if you are patient enough, sometimes the scams turn out to be ‘real’. Starting around October 14th onwards, the Windows and Linux payloads that we have been able to intercept and analyze are functional, so this does not appear to be an outright scam, which seemed like a distinct possibility early on.  

Inside The Ransomware Payload

The generated Ransomware payloads are written in Golang.   

image of project root strings

Project Root’s payloads follow in the footsteps of other, similar, ransomware families also written in Golang such as LockerGogoa and shifr .

The samples we have analyzed to date are delivered in an unpacked state. Golang binaries tend to be somewhat large (over 1MB) and therefore you often see them mutated or compressed via a packer. Such is not the case with those generated by Project Root, and the size of the analyzed binaries range from 5MB to 6MB.

Functionally, there is nothing ground-breaking or novel about the executables generated via Project Root. Upon execution, the code will perform a few checks in an attempt to evade analysis. The executables are ‘sandbox-aware” and will fail to run in both VMware and Oracle VirtualBox. In addition to the local system/host checks, the ransomware binary will attempt to reach out remotely to verify network connectivity by contacting the following IP address:

ec2-3-18-214-41[.]us-east-2[.]compute[.]amazonaws.com (3[.]18[.]214[.]41).   

If successful, the executable will communicate a base64 encoded string to the remote host. The encoded string contains identifiable details of the infected system. This is for tracking as well as infection/payment reporting on the portal side.

image of project root key value pairs

Files are encrypted using AES-256. The samples we have analyzed only appear to target the following 195 specific file types for encryption.

odt, ods, odp, odm, odc, csv, odb, doc, docx, docm, wps, xls, xlsx, xlsm, xlsb, xlk, ppt, pptx, pptm, mdb, accdb, pst, dwg, xf, dxg, wpd, rtf, wb2, mdf, dbf, psd, pdd, pdf, eps, ai, indd, cdr, jpg, jpe, dng, 3fr, srf, sr2, bay, crw, cr2, dcr, kdc, erf, mef, mrwref, nrw, orf, raf, raw, rwl, rw2, r3d, ptx, pef, srw, x3f, der, cer, crt, pem, pfx, p12, p7b, p7c, c, cpp, txt, jpeg, png, gif, mp3, html, css, js, sql, mp4, flv, m3u, py, desc, con, htm, bin, wotreplay, unity3d , big, pak, rgss3a, epk , bik , slm , lbf, sav , lng ttarch2 , mpq, re4, apk, bsa , cab, ltx , forge ,asset , litemod, das , upk, bar, hkx, rofl, DayZProfile, db0, mpqge, vfs0 , mcmeta , m2, lrf , vpp_pc , ff , cfr, snx, lvl , arch00, ntl, fsh, w3x, rim ,psk , tor, vpk , iwd, kf, mlx, fpk , dazip, vtf, 001, esm , blob , dmp, menu, ncf, sid, sis, ztmp, vdf, mcgame, fos, sb, itm , wmo , itm, map, wmo, sb, svg, cas, gho,iso ,rar ,mdbackup , hkdb , hplg, hvpl, icxs, itdb, itl, sidd, sidn, bkf , qic, bkp , bc7 , bc6 ,pkpass, tax, gdb, qdf, t12,t13, ibank, sum, sie, sc2save ,d3dbsp, wmv, avi, wma, m4a, 7z, torrent


Once encryption occurs, affected files are given a .Lulz extension. The desktop background is changed to an image which instructs the victim to refer to ‘Fuck.txt’ for instructions on how to proceed with decryption.

The background image is pulled from the following URL:

hxxps[:]//i.postimg[.]cc/pdbqqS5P/new.jpg

image of project root splash

The ransom note simply provides instructions on whom to email for details on decryption along with a corresponding uniquely identifying key. At that point, it is up to the attacker to respond, accept payment, and provide details on how to proceed.

image of project root ransomware note

The threat also attempts to clear out local event logs (Windows version), as well as attempts to install a new root certificate. The certificate installation appears to still be problematic as we were unable to reproduce or observe that behavior during our analysis.  

Defending Against Project Root and RaaS

SentinelOne Endpoint Protection is capable of fully preventing malicious binaries generated by the Project Root service across platforms. In scenarios where the threat has been able to make malicious changes, those can be fully reversed via SentinelOne’s “Rollback” feature.

Of course, aside from having a strong security solution in place, user education and a well-established Disaster Recovery Plan/Business Continuity Play (DRP/BCP) will go a long way here, too.

Conclusion

It is always good to stay aware and keep up to date with the types of malware and ransomware services that are currently available, as well as the efficacy of them. While there are many that launch as either deliberate scams or are simply poorly written, there are also many that function quite well and present a real threat to users. This service, Project Root, straddles the line between those two extremes.

Indicators of Compromise (IOCs):

ade0d7fbdcb34d7cbd220beb9c3c2484f7ce05c11043bd5ed64df239f5039ba7 Ransomware sample (x86)
930b10c9413156bc91aafd0d3dd88e927b1c938707349070b35d2700a1b37f2f Ransomware sample (x64)
432ebc85724f52ff1bbe205b22c68c15675a0f03321a9abae04c87415f10fa37 Ransomware sample (Linux)
576ce4198bd883a01f50535588109a0a78b5af2ce3a1ee69842a34b237bfeed5 Decryption Tool (x86)
7292dd52392e36826a48f15be0e185a4d34a4716e4bed8e77704fb1c05aa8b48 Decryption Tool (x64)
70c518fd0bf8ba099b9e87c951e2b72f79a637334e981140f7e0d0616d0c6905 Decryption Tool (Linux x86)
ff4b1f56244d0887d3fbc62956b742cb4b43048c92f68f4aa09bb54b8a415d12 Decryption Tool (Linux x64)
h t t ps[:]//i.postimg[.]cc/pdbqqS5P/new.jpg Network / HTTP Request
prootk6nzgp7amie[.]onion RaaS Portal (TOR)
ec2-3-18-214-41.us-east-2.compute.amazonaws.com RaaS Portal Mirror (Clearnet)
6dd74824ce2f34df13ccba4b6567b00bfdf42daeecc9a12196eee4c8ade29224 Ransomware sample (x64)
b226c3b4d8634f9ede3d526c5ee287287c20cf7173154c4db64ec5235800ddcd Ransomware sample (x86)

MITRE ATT&CK

  • T1130 – Install Root Certificate
  • T1486 – Data Encrypted for Impact (Ransomware)
  • T1089 – Disabling Security Tools
  • T1497 – Virtualization/Sandbox Evasion

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Google picks up Microsoft veteran, Javier Soltero, to head G Suite

Google has hired Microsoft’s former Cortana and Outlook VP, Javier Soltero, to head up its productivity and collaboration bundle, G Suite — which includes consumer and business tools such as Gmail, Hangouts, Drive, Google Docs and Sheets.

He tweeted the news yesterday, writing: “The opportunity to work with this team on products that have such a profound impact on the lives of people around the world is a real and rare privilege.”

 

Soltero joined Microsoft five years ago, after the company shelling out $200M to acquire his mobile email application, Acompli — staying until late last year.

His LinkedIn profile now lists him as vice president of G Suite, starting October 2019.

Soltero will report to Google Cloud CEO Thomas Kurian — who replaced Dianne Green when she stepped down from the role last year — per a company email reported by CNBC.

Previously, Google’s Prabhakar Raghavan — now SVP for its Advertising and Commerce products — was in charge of the productivity bundle, as VP of Google Apps and Google Cloud. But Mountain View has created a dedicated VP role for G Suite. Presumably to woo Soltero into his next major industry move — and into competing directly with his former employer.

The move looks intended to dial up focus on the Office giant, in response to Microsoft’s ongoing push to shift users from single purchase versions of flagship productivity products to subscription-based cloud versions, like Office 365.

This summer Google CEO, Sundar Pichai, announced that its cloud business unit had an $8 billion annual revenue run rate, up from $4BN reported in early 2018, though still lagging Microsoft’s Azure cloud.

He added that Google planned to triple the size of its cloud sales force over the next few years.

Early-stage privacy startup DataGrail gets boost from Okta partnership

When Okta launched its $50 million Okta Ventures investment fund in April, one of its investments was in an early-stage privacy startup called DataGrail. Today, the companies announced a partnership that they hope will help boost DataGrail, while providing Okta customers with a privacy tool option.

DataGrail CEO and co-founder Daniel Barber says that with the increase in privacy legislation, from GDPR to the upcoming California Consumer Protection Act (and many other proposed bills in various states of progress), companies need tools to help them comply and protect user privacy. “We are a privacy platform focused on delivering continuous compliance for businesses,” Barber says.

They do this in a way that fits nicely with Okta’s approach to identity. Whereas Okta provides a place to access all of your cloud applications from a single place with one logon, DataGrail connects to your applications with connectors to provide a way to monitor privacy across the organization from a single view.

It currently has 180 connectors to common enterprise applications like Salesforce, HubSpot, Marketo and Oracle. It then collects this data and presents it to the company in a central interface to help ensure privacy. “Our key differentiator is that we’re able to deliver a live data map of the customer data that exists within an organization,” Barber explained.

The company just launched last year, but Barber sees similarities in their approaches. “We see clear alignment on our go-to-market approach. The product that we built aligns very similarly to the way Okta is deployed, and we’re a true partner with the industry leader in identity management,” he said.

Monty Gray, SVP and head of corporate development at Okta, says that the company is always looking for innovative companies that fit well with Okta. The company liked DataGrail enough to contribute to the startup’s $5.2 million Series A investment in July.

Gray says that while DataGrail isn’t the only privacy company it’s partnering with, he likes how DataGrail is helping with privacy compliance in large organizations. “We saw how DataGrail was thinking about [privacy] in a modern fashion. They enable these technology companies to become not only compliant, but do it in a way where they were not directly in the flow, that they would get out of the way,” Gray explained.

Barber says having the help of Okta could help drive sales, and for a company that’s just getting off the ground, having a public company in your corner as an investor, as well as a partner, could help push the company forward. That’s all that any early startup can hope for.

Aurora Insight emerges from stealth with $18M and a new take on measuring wireless spectrum

Aurora Insight, a startup that provides a “dynamic” global map of wireless connectivity that it built and monitors in real time using AI combined with data from sensors on satellites, vehicles, buildings, aircraft and other objects, is emerging from stealth today with the launch of its first publicly available product, a platform providing insights on wireless signal and quality covering a range of wireless spectrum bands, offered as a cloud-based, data-as-a-service product.

“Our objective is to map the entire planet, charting the radio waves used for communications,” said Brian Mengwasser, the co-founder and CEO. “It’s a daunting task.” He said that to do this the company first “built a bunker” to test the system before rolling it out at scale.

With it, Aurora Insight is also announcing that it has raised $18 million in funding — an aggregate amount that reaches back to its founding in 2016 and covers both a seed round and Series A — from an impressive list of investors. Led by Alsop Louie Partners and True Ventures, backers also include Tippet Venture Partners, Revolution’s Rise of the Rest Seed Fund, Promus Ventures, Alumni Ventures Group, ValueStream Ventures and Intellectus Partners.

The area of measuring wireless spectrum and figuring out where it might not be working well (in order to fix it) may sound like an arcane area, but it’s a fairly essential one.

Mobile technology — specifically, new devices and the use of wireless networks to connect people, objects and services — continues to be the defining activity of our time, with more than 5 billion mobile users on the planet (out of 7.5 billion people) today and the proportion continuing to grow. With that, we’re seeing a big spike in mobile internet usage, too, with more than 5 billion people, and 25.2 billion objects, expected to be using mobile data by 2025, according to the GSMA.

The catch to all this is that wireless spectrum — which enables the operation of mobile services — is inherently finite and somewhat flaky in how its reliability is subject to interference. That in turn is creating a need for a better way of measuring how it is working, and how to fix it when it is not.

“Wireless spectrum is one of the most critical and valuable parts of the communications ecosystem worldwide,” said Rohit Sharma, partner at True Ventures and Aurora Insight board member, in a statement. “To date, it’s been a massive challenge to accurately measure and dynamically monitor the wireless spectrum in a way that enables the best use of this scarce commodity. Aurora’s proprietary approach gives businesses a unique way to analyze, predict, and rapidly enable the next-generation of wireless-enabled applications.”

If you follow the world of wireless technology and telcos, you’ll know that wireless network testing and measurement is an established field — about as old as the existence of wireless networks themselves (which says something about the general reliability of wireless networks). Aurora aims to disrupt this on a number of levels.

Mengwasser — who co-founded the company with Jennifer Alvarez, the CTO who you can see presenting on the company here — tells me that a lot of the traditional testing and measurement has been geared at telecoms operators, who own the radio towers, and tend to focus on more narrow bands of spectrum and technologies.

The rise of 5G and other wireless technologies, however, has come with a completely new playing field and set of challenges from the industry.

Essentially, we are now in a market where there are a number of different technologies coexisting — alongside 5G we have earlier network technologies (4G, LTE, Wi-Fi); and a potential set of new technologies. And we have a new breed of companies building services that need to have close knowledge of how networks are working to make sure they remain up and reliable.

Mengwasser said Aurora is currently one of the few trying to tackle this opportunity by developing a network that is measuring multiples kinds of spectrum simultaneously, and aims to provide that information not just to telcos (some of which have been working with Aurora while still in stealth) but the others kinds of application and service developers that are building businesses based on those new networks.

“There is a pretty big difference between us and performance measurement, which typically operates from the back of a phone and tells you when have a phone in a particular location,” he said. “We care about more than this, more than just homes, but all smart devices. Eventually, everything will be connected to network, so we are aiming to provide intelligence on that.”

One example are drone operators that are building delivery networks: Aurora has been working with at least one while in stealth to help develop a service, Mengwasser said, although he declined to say which one. (He also, incidentally, specifically declined to say whether the company had talked with Amazon.)

5G is a particularly tricky area of mobile network spectrum and services to monitor and tackle, which is one reason why Aurora Insight has caught the attention of investors.

“The reality of massive MIMO beamforming, high frequencies, and dynamic access techniques employed by 5G networks means it’s both more difficult and more important to quantify the radio spectrum,” said Gilman Louie of Alsop Louie Partners, in a statement. “Having the accurate and near-real-time feedback on the radio spectrum that Aurora’s technology offers could be the difference between building a 5G network right the first time, or having to build it twice.” Louie is also sitting on the board of the startup.

Figma’s Community lets designers share and remix live files

As designers grow both in sheer numbers and within the hierarchy of organizations, design tool makers are adapting to their evolving needs in different ways. Figma, the web-based collaborative design tool, is taking a note from the engineering revolution of the early aughts.

“What if there were a GitHub for designers?” mused Dylan Field, early on in the lifecycle of Figma as a company. Today, that vision is brought to life with the launch of Figma Community. (Figma Community is launching in a closed beta for now.)

In a crowded space, with competitors like Adobe, InVision, Sketch and more, Figma differentiates itself on its web-based multiplayer approach. Figma is a design tool that works like Google Docs, with multiple designers in the same file, working alongside one another without disrupting each other.

But that’s just the base level of the overall collaboration that Figma believes designers crave. Field told us that he sees a clear desire from designers to not only share their work, whether it’s on a portfolio webpage or on social media, as well as a desire to learn from the work of other designers.

And yet, when a creative shares a design on social media, it’s just a static image. Other designers can’t see how it went from a blank page to an interesting design, and are left to merely appreciate it without learning anything new.

With Figma Community, designers and even organizations can share live design files that others can inspect, remix and learn from.

Individual designers can set up their own public-facing profile page to show off their designs, as well as intra-organization profile pages so other team members within their organization can learn from each other. On the other hand, organizations can publicly share their design systems and philosophy on their own page.

For example, the city of Chicago has set up a profile on Figma Community for other designers to follow the city’s design system in their own materials.

Screen Shot 2019 10 22 at 11.26.39 AM

As far as remixing design files goes, Figma is using a CC4 license, which allows for a remix but forces attribution. That said, Field says the company is using this closed beta period to learn more about what the community wants around different license types.

Community is free and is not meant to drive revenue for the company, but rather offer further value to designers using the platform.

“It’s early,” said Dylan Field. “This is just the scaffolding of what’s to come. It’s the start of a lot of work that we’re going to be doing in the area of collaboration and community.”

Figma has raised a total of $83 million from investors like Index, Sequoia, Kleiner Perkins and Grelock, according to Crunchbase.

Databricks announces $400M round on $6.2B valuation as analytics platform continues to grow

Databricks is a SaaS business built on top of a bunch of open-source tools, and apparently it’s been going pretty well on the business side of things. In fact, the company claims to be one of the fastest growing enterprise cloud companies ever. Today the company announced a massive $400 million Series F funding round on a hefty $6.2 billion valuation. Today’s funding brings the total raised to almost a $900 million.

Andreessen Horowitz’s Late Stage Venture Fund led the round with new investors BlackRock, Inc., T. Rowe Price Associates, Inc. and Tiger Global Management also participating. The institutional investors are particularly interesting here because as a late-stage startup, Databricks likely has its eye on a future IPO, and having those investors on board already could give them a head start.

CEO Ali Ghodsi was coy when it came to the IPO, but it sure sounded like that’s a direction he wants to go. “We are one of the fastest growing cloud enterprise software companies on record, which means we have a lot of access to capital as this fundraise shows. The revenue is growing gangbusters, and the brand is also really well known. So an IPO is not something that we’re optimizing for, but it’s something that’s definitely going to happen down the line in the not-too-distant future,” Ghodsi told TechCrunch.

The company announced as of Q3 it’s on a $200 million run rate, and it has a platform that consists of four products, all built on foundational open source: Delta Lake, an open-source data lake product; MLflow, an open-source project that helps data teams operationalize machine learning; Koalas, which creates a single machine framework for Spark and Pandos, greatly simplifying working with the two tools; and, finally, Spark, the open-source analytics engine.

You can download the open-source version of all of these tools for free, but they are not easy to use or manage. The way that Databricks makes money is by offering each of these tools in the form of Software as a Service. They handle all of the management headaches associated with using these tools and they charge you a subscription price.

It’s a model that seems to be working, as the company is growing like crazy. It raised $250 million just last February on a $2.75 billion valuation. Apparently the investors saw room for a lot more growth in the intervening six months, as today’s $6.2 billion valuation shows.