Home Tags Bulgaria

Tag: Bulgaria

DDOS attacks in Q1 2017

Although the first quarter of 2017 was rather quiet compared to the previous reporting period, there were a few interesting developments.

Despite the growing popularity of IoT botnets, Windows-based bots accounted for 59.81% of all attacks. Meanwhile, complex attacks that can only be repelled with sophisticated protection mechanisms are becoming more frequent.

Data Protection Certification: Cloud Infrastructure Services Providers operating in Europe declare...

New compliance mark establishes data protection standards and practices to protect customer data and comply with European lawBrussels, 14th February 2017.

The Cloud Infrastructure Services Providers in Europe (CISPE), a coalition of cloud computing lea...

DDoS attacks in Q4 2016

2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life.
In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology.

Hottest enterprise tech startups named in race to be crowned Tech...

Global awards for enterprise IT startups announce shortlist: Voting is now open

London, UK – 19th January 2017 – The Tech Trailblazers Awards, the first independent and dedicated awards program for enterprise information technology startups, has revealed its shortlist of the most innovative entrants and concepts in enterprise technology areas such as cloud, security, IoT, mobile and many more.

The shortlists have been selected by a panel of leading IT industry experts and are now open to public vote.

Tech Trailblazers Awards logo

In its fifth year, the scheme continues to focus around the ethos of finding innovation from anywhere in the world, from the smallest startups to more established players.

This aim to highlight both up-and-coming and established talent from all regions is reflected in the Firestarter Award for non-VC funded early stage startups. New this year are the Female and Male Tech Trailblazers of the Year awards, celebrating individual success and contribution of men and women in the enterprise tech space.

These categories run alongside the main technology categories of Big Data, Cloud, FinTech, IoT, Mobile, Security, Storage and Virtualization.

In addition to the expert judging panel, the voting public can now help determine who will win in all categories by voting online by 11:59pm Pacific Time on Friday 17th February 2017.

To view the shortlist and vote for your favourites, please visit http://www.techtrailblazers.com/shortlist.

Rose Ross, founder of the Tech Trailblazers Awards, said “Year on year, the judges’ task to shortlist becomes more and more difficult. We have again seen exceptional enterprise tech startups enter the awards. Huge thanks to our judges who once again have had this difficult mission.

The team wishes the very best of luck to our amazing finalists.”

Tech Trailblazers Awards Fifth Edition Finalists

Big Data
Adavow Ltd.

Tunbridge Wells, UK @adavow www.adavow.com
CoHo Data Palo Alto, CA, USA @cohodata www.cohodata.com
Crate.io San Francisco, CA, USA @CrateIO www.crate.io
DriveScale Sunnyvale, CA, USA @DriveScale_Inc www.drivescale.com
Illumr London, UK @illumr www.illumr.com
NGDATA Gent, Belgium @NGDATA_com www.ngdata.com

Cloud
Adavow Ltd.

Tunbridge Wells, UK @adavow www.adavow.com
Bioz, Inc. Palo Alto, CA, USA @biozPage www.bioz.com
Cato Networks Tel Aviv, Israel @CatoNetworks www.catonetworks.com
Fedr8 Farnborough, UK @fedr8 www.fedr8.com
GreatHorn Belmont, MA, USA @greathorn www.greathorn.com
Teridion San Francisco, CA, USA @teridionnet www.teridion.com
YellowDog Bristol, UK @yellowdogltd www.yellowdog.co

FinTech
Cashpundit Pune, India @cashpundit www.cashpundit.com
Divido London, UK @DividoUK www.divido.com
Solfyre Limited Worcester Park, UK @solfyreID www.solfyre.com
Solgari Dublin, Ireland @Solgaritweets www.solgari.com
TransferGuru London, UK @_TransferGuru www.transferguru.com
TruValue Labs San Francisco, CA, USA @truvaluelabs www.Insight360.io

IoT
CopSonic Montauban, France @copsonic www.copsonic.com
Crate.io San Francisco, CA, USA @CrateIO www.crate.io
Dashboard Exeter, UK @dashboard_ltd www.dashboard.net
MammothDB Sofia, Bulgaria @mammothdb www.mammothdb.com
Relayr Berlin, Germany @relayr_cloud www.relayr.io

Mobile
Jumio Palo Alto, CA, USA @jumio www.jumio.com
Leanplum San Francisco, CA, USA @leanplum www.leanplum.com
Pyze, Inc. Redwood City, CA, USA @PyzeInc www.pyze.com
SHYN.one Sofia, Bulgaria www.gain.im
Solfyre Limited Worcester Park, UK @solfyreID www.solfyre.com

Security
Attivo Networks Fremont, CA, USA @attivonetworks www.attivonetworks.com
CLT.Re Oslo, Norway @getcltre https://get.clt.re/
Cognetyx Houston, TX, USA @cognetyx www.cognetyx.com
Dispel New York, USA @dispelhq www.dispel.io
Hexadite Boston, MA, USA @Hexadite www.hexadite.com
InvizBox Dublin, Ireland @invizbox www.invizbox.com
Veriflo San Jose, CA, USA @VeriflowSystems www.veriflow.net

Storage
Catalogic Woodcliff Lake, NJ, USA @CatalogicSW www.catalogicsoftware.com
Cohesity Santa Clara, CA, USA @cohesity www.cohesity.com
Hedvig Santa Clara, CA, USA @HedvigInc www.hedviginc.com
Igneous Seattle, WA, USA @IgneousIO www.igneous.io
Rubrik Palo Alto, CA, USA @rubrikInc www.rubrik.com

Virtualization
128 Technology Burlington, MA, USA @128technology www.128technology.com
Cloudhouse Technologies London, UK @cloudhousetech www.cloudhouse.com
Teridion San Francisco, CA, USA @teridionnet www.teridion.com
Versa Networks Santa Clara, CA, USA @versanetworks www.versa-networks.com

Firestarter Award
Adavow Ltd Tunbridge Wells, UK @adavow www.adavow.com
CLT.Re Oslo, Norway @getcltre https://get.clt.re/
CyberSparta Reading, UK @CyberSparta www.cybersparta.com
Fuzz Stati0n Santa Cruz, CA, USA @fuzz_stati0n www.fuzzstati0n.com
Illumr London, UK @illumr www.illumr.com
Lucy Phishing Thalwil, Switzerland @lucysecurity www.phishing-server.com
SHYN.one Sofia, Bulgaria www.gain.im
Solfyre Ltd Worcester Park, UK @solfyreID www.solfyre.com
StorageOS London, UK @Storage_OS www.storageos.com
TransferGuru London, UK @_TransferGuru www.Transferguru.com
YellowDog Bristol, UK @yellowdogltd www.yellowdog.co

Female Tech Trailblazer of the Year Award
Dr. Karin Lachmi, Bioz, Inc. Palo Alto, CA, USA @biozPage www.bioz.com
Joanne Smith, RecordSure London, UK @recordsure www.recordsure.com
Leanne Harvey, Staff Spotlight Hampshire, UK @staffspotlight www.staffspotlight.com
Shreya Hewett, TransferGuru London, UK @transferguru_ www.transferguru.com
Faith Tulloch, TruValue Labs San Francisco, CA, USA @truvaluelabs www.Insight360.io

Male Tech Trailblazer of the Year Award
David Brown, Adavow Tunbridge Wells, UK @adavow www.adavow.com
Gur Shatz, Cato Networks Tel Aviv, Israel @CatoNetworks www.catonetworks.com
Gene Banman, DriveScale Sunnyvale, CA, USA @DriveScale_Inc www.drivescale.com
Tom Lyon, DriveScale Sunnyvale, CA, USA @DriveScale_Inc www.drivescale.com
Rhys Sharp, Fedr8 Farnborough, UK @fedr8 www.fedr8.com
Dickey Singh, Pyze, Inc. Redwood City, CA, USA @PyzeInc www.pyze.com
Kumar Mehta, Versa Networks Santa Clara, CA, USA @versanetworks www.versa-networks.com

Media Contact
For Tech Trailblazers
Vicki Porter
Omarketing
UK: +44 (0)20 8255 5225
vicki@omarketing.com

Follow the awards buzz at www.twitter.com/techtrailblaze

About the Tech Trailblazers Awards
Tech Trailblazers is a new concept in awards, designed explicitly for smaller businesses and startups that are five years old or less and at C-series funding or below.

The awards have low barriers to entry and not only recognize startup innovation but proactively help startups grow their business.

The awards include the following categories:

  • Big Data Trailblazers
  • Cloud Trailblazers
  • FinTech Trailblazers
  • Firestarter Trailblazers
  • IoT Trailblazers
  • Mobile Trailblazers
  • Security Trailblazers
  • Storage Trailblazers
  • Virtualization Trailblazers

Early stage startups (2 years and younger without VC funding) are able to apply for a chosen tech category free of charge via the new Firestarter bursary and are automatically submitted for the new Firestarter award.

In 2016, the Tech Trailblazers introduced the Female and Male Tech Trailblazers of the Year categories to celebrate individual success within senior members of enterprise tech startups.

The Tech Trailblazers Awards is supported by sponsors and industry partners including AfriLabs, Amoo Venture Capital Advisory, beSUCCESS, bnetTV, BigDataStartups, China AXLR8R, the Cloud Security Alliance, Computing, ExecEvent, GFT, GoMoNews, The Green Grid, GSMA, The Icehouse, Innovation Warehouse, Internet of Things Events, IP EXPO Europe, Launchpad Europe, L’Informaticien, Lissted, MIT/Stanford Venture Lab, The Next Silicon Valley, Outsource, Prezi, The Register, Silicon Cape Initiative, Skolkovo, StarTau, Startup America, Storage Networking Industry Association (SNIA), Tech in Asia, TechNode, TiE Silicon Valley, Wazoku, Ventureburn and VMware.

Cybersecurity Expert Links Taiwan And Europe ATM Hacks

Group-IB says both attacks were likely carried out by Cobalt group using malware "ATM spitter." Cybersecurity firm Group-IB has linked the July Taiwan ATM cyber heist to the ATM hacking spree in Europe last year, claiming the two were carried out by the same hacking group, dubbed Cobalt. Reuters reports that Group-IB’s conclusion is based on the fact that the hack technique used in both incidents match. A group of 22 foreign nationals are alleged to be behind the First Commercial Bank ATM hack in Taiwan, of which three Eastern Europeans are in custody. Most of the stolen money was recovered and Taiwan authorities believe the bank network was breached at a London branch. According to a Group-IB report, the hackers used malware “ATM spitter” in the Taiwan attack as well as in similar hacks carried out in Britain, Russia, Poland, Spain, Bulgaria, and many other European countries, Reuters adds. Click here for the full story. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Security expert: Ransomware took in $1 billion in 2016

Increased user awareness of phishing threats, better antivirus technology, more industry-wide information sharing and cross-border efforts by law enforcement authorities will combine to turn the tide against ransomware this year, according to some security experts, but others expect the attacks to continue to increase. According to a security expert who requested anonymity, ransomware cybercriminals took in about $1 billion last year, based on money coming into ransomware-related bitcoin wallets. That includes more than $50 million each for three wallets associated with the Locky ransomware, and a fourth one that processed close to $70 million.

Cryptowall brought in close to $100 million before it was shut down this year.

CryptXXX gathered in $73 million during the second half of 2016, and Cerber took in $54 million, the expert said. Smaller ransomware families brought in another $150 million, and the FBI has reported $209 million in ransomware payments during the first three months of 2016.
In addition to this $800 million or so in known payments, there are many other Bitcoin wallets that are unknown to researchers and uncounted, pushing the estimated total to $1 billion for all of 2016. “The $1 billion number isn’t at all unreasonable and might even be low,” confirmed Mark Nunnikhoven, vice president of cloud research at Trend Micro. “It’s getting difficult to track the amount of money flowing into criminals’ Bitcoin wallets because they’ve started to try and hide the transactions across a large number of wallets,” he added. He said that there was a 400 percent increase in ransomware variants last year, and he expects to see a 25 percent growth in ransomware families in 2016. “What we’re seeing is a bit of a maturation in how to execute these attacks, so we’re expecting a leveling off to a more realistic growth curve,” he said. But criminals will continue innovating because of how profitable ransomware is. “I don’t think we’ll see the 100 percent growth that we saw from 2015 to 2016,” said Allan Liska, intelligence analyst at Recorded Future. “I think we’ll probably see a 50 percent growth.” The markets for stolen medical records, credit card numbers and email addresses are collapsing, he said. “Not only is it taking a while to get paid, but they’re not getting paid as much as they used to,” he said. Meanwhile, ransomware is an easy business to get into, the payout is immediate, and it offers an ongoing revenue stream. “There’s no incentive for them to discontinue ransomware,” he said. Some experts expect growth to be even higher. Successful ransomware attacks will double this year, predicted Tom Bain, vice president at CounterTack. “The reality is that every single customer I speak to, anyone in the industry really, this is their number one concern,” he said. Better defensive technology and collaboration will help, he said, but the problem is going to get worse before it starts to get better. Gartner analysts estimate that there were between 2 million and 3 million successful ransomware attacks in 2016, and that the frequency will double year over year through 2019. “I think they’re right,” said Bain. But not all experts think the future is quite that bleak. Raj Samani, vice president and CTO at Intel Security, predicts that anti-ransomware efforts will begin to pay off in the next few months. “We’ll see a spike earlier on this year, but then I anticipate our efforts with law enforcement to be successful,” he said. Intel, along with Kaspersky Labs, Europol, and the Dutch National High Tech Crime Unit formed an alliance this past summer, No More Ransom.
Since then, more than a dozen other law enforcement agencies have joined up, including Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland, and the United Kingdom.
Several other security vendors have also joined up. “Now that we’ve got more law enforcement agencies on board, and more private sector firms, we expect to see an increase in successful take-down operations,” said Samani. In addition to working together to bring down ransomware operations, the group also distributes free anti-ransomware tools. That, combined with more user awareness about phishing and better detection technologies, will combine to stop the growth of this attack vector, Samani said. “As an industry, we’ve started to develop new products, sandboxing, threat intelligence exchanges,” he said. “It is getting better.” However, he warned that malware authors do have one significant advantage. “There’s an asymmetry of information,” he said. “They have tools and services that will allow them to run their malware through all the anti-virus engines out there.

They can install our products and they know how our products work because we openly talk about them.

This is one of the big security challenges.” This story, "Security expert: Ransomware took in $1 billion in 2016" was originally published by CSO.

Kaspersky Security Bulletin 2016. Story of the year

 Download the PDF Introduction In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses. The numbers speak for themselves: 62 new ransomware families made their appearance. There was an 11-fold increase in the number of ransomware modifications: from 2,900 new modifications in January/March, to 32,091 in July/September. Attacks on business increased three-fold between January and the end of September: the difference between an attack every 2 minutes and one every 40 seconds. For individuals the rate of increase went from every 20 seconds to every 10 seconds. One in five small and medium-sized business who paid the ransom never got their data back. 2016 also saw ransomware grow in sophistication and diversity, for example: changing tack if it encountered financial software, written in scripting languages, exploiting new infection paths, becoming more targeted, and offering turn-key ransomware-as-a-service solutions to those with fewer skills, resources or time – all through a growing and increasingly efficient underground ecosystem. At the same time, 2016 saw the world begin to unite to fight back: The No More Ransom project was launched in July, bringing togetheal Police, Europol, Intel Security and Kaspersky Lab.

A further 13 organizations joined in October.

Among other things, the collaboration has resulted in a number of free online decryption tools that have so far helped thousands of ransomware victims to recover their data. This is just the tip of the iceberg – much remains to be done.

Together we can achieve far more than any of us can on our own.
What is ransomware? Ransomware comes in two forms.

The most common form of ransomware is the cryptor.

These programs encrypt data on the victim’s device and demand money in return for a promise to restore the data.

Blockers, by contrast, don’t affect the data stored on the device.
Instead, they prevent the victim from accessing the device.

The ransom demand, displayed across the screen, typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicating that they must pay a spot-fine. You can find an overview of both forms of ransomware here. Ransomware: the main trends & discoveries of 2016 “Most ransomware thrives on an unlikely relationship of trust between the victim and their attacker: that, once payment is received, the ransomed files will be returned.

Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise.” GReAT, Threat Predictions for 2017 Arrivals and departures Arrivals – in 2016, the world said hello to Cerber, Locky and CryptXXX – as well as to 44,287 new ransomware modifications Cerber and Locky arrived in the early Spring.

Both are nasty, virulent strains of ransomware that are propagated widely, mainly through spam attachments and exploit kits.

They rapidly established themselves as ‘major players’, targeting individuals and corporates. Not far behind them was CryptXXX.

All three families continue to evolve and to hold the world to ransom alongside well-established incumbents such as CTB-Locker, CryptoWall and Shade. Locky ransomware has so far been spread across 114 countries #KLReport Tweet As of October 2016, the top ransomware families detected by Kaspersky Lab products look like this: Name Verdicts* percentage of users** 1 CTB-Locker Trojan-Ransom.Win32.Onion /Trojan-Ransom.NSIS.Onion 25.32 2 Locky Trojan-Ransom.Win32.Locky /Trojan-Dropper.JS.Locky 7.07 3 TeslaCrypt (active till May 2016) Trojan-Ransom.Win32.Bitman 6.54 4 Scatter Trojan-Ransom.Win32.Scatter /Trojan-Ransom.BAT.Scatter /Trojan-Downloader.JS.Scatter /Trojan-Dropper.JS.Scatter 2.85 5 Cryakl Trojan-Ransom.Win32.Cryakl 2.79 6 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.36 7 Shade Trojan-Ransom.Win32.Shade 1.73 8 (generic verdict) Trojan-Ransom.Win32.Snocry 1.26 9 Crysis Trojan-Ransom.Win32.Crusis 1.15 10 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.90 * These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from usersof Kaspersky Lab products who have consented to provide their statistical data.** Percentage of users targeted by a certain crypto-ransomware family relative to all users targeted with crypto-ransomware. Departures – and goodbye to Teslascrypt, Chimera and Wildfire – or so it seemed… Probably the biggest surprise of 2016 was the shutdown of TeslaCrypt and the subsequent release of the master key, apparently by the malware actors themselves. TeslaCrypt “committed suicide” – while the police shut down Encryptor RaaS and Wildfire #KLReport Tweet Encryptor RaaS, one of the first Trojans to offer a Ransomware-as-a-Service model to other criminals shut up shop after part of its botnet was taken down by the police. Then, in July, approximately 3,500 keys for the Chimera ransomware were publicly released by someone claiming to be behind the Petya/Mischa ransomware. However, since Petya used some of the Chimera source code for its own ransomware, it could in fact be the same group, simply updating its product suite and causing mischief. Similarly, Wildfire, whose servers were seized and a decryption key developed following a combined effort by Kaspersky Lab, Intel Security and the Dutch Police, now appears to have re-emerged as Hades. Abuse of ‘educational’ ransomware Well-intentioned researchers developed ‘educational’ ransomware to give system administrators a tool to simulate a ransomware attack and test their defenses.

Criminals were quick to seize upon these tools for their own malicious purposes. Ransomware developed for ‘education’ gave rise to Ded Cryptor and Fantom, among others #KLReport Tweet The developer of the educational ransomware Hidden Tear & EDA2 helpfully posted the source code on GitHub.
Inevitably, 2016 saw the appearance of numerous malicious Trojans based on this code.

This included Ded Cryptor, which changed the wallpaper on a victim computer to a picture of an evil-looking Santa Claus, and demanded a massive two Bitcoins (around $1,300) as a ransom.

Another such program was Fantom, which simulated a genuine-looking Windows update screen. Unconventional approaches Why bother with a file when you can have the disk? New approaches to ransomware attacks that were seen for the first time in 2016 included disk encryption, where attackers block access to, or encrypt, all the files at once. Petya is an example of this, scrambling the master index of a user’s hard drive and making a reboot impossible.

Another Trojan, Dcryptor, also known as Mamba, went one step further, locking down the entire hard drive.

This ransomware is particularly unpleasant, scrambling every disk sector including the operating system, apps, shared files and all personal data – using a copy of the open source DiskCryptor software. Attackers are now targeting back-ups and hard drives – and brute-forcing passwords #KLReport Tweet The ‘manual’ infection technique Dcrypter’s infection is carried out manually, with the attackers brute-forcing passwords for remote access to a victim machine.

Although not new, this approach has become significantly more prominent in 2016, often as a way to target servers and gain entry into a corporate system. If the attack succeeds, the Trojan installs and encrypts the files on the server and possibly even on all the network shares accessible from it. We discovered TeamXRat taking this approach to spread its ransomware on Brazilian servers. Two-in-one infection In August we discovered a sample of Shade that had unexpected functionality: if an infected computer turned out to belong to financial services, it would instead download and install a piece of spyware, possibly with the longer term aim of stealing money. Shade downloaded spyware if it found financial software #KLReport Tweet Ransomware in scripting languages Another trend that attracted our attention in 2016 was the growing number of cryptors written in scripting languages.
In the third quarter alone, we came across several new families written in Python, including HolyCrypt and CryPy, as well as Stampado written in AutoIt, the automation language. A long line of amateurs and copycats Many of the new ransomware Trojans detected in 2016 turned out to be of low-quality; unsophisticated, with software flaws and sloppy errors in the ransom notes. Poor quality ransomware increases likelihood of data being lost forever #KLReport Tweet This was accompanied by a rise in copycat ransomware.

Among other things, we spotted that: Bart copies the ransom note & the style of Locky’s payment page. An Autoit-based copycat of Locky (dubbed AutoLocky) uses the same extension “.locky”. Crusis (aka Crysis) copies the extension “.xtbl” originally used by Shade. Xorist copies the whole naming scheme of the files encrypted by Crusis. Probably the most prominent copycat we discovered this year was Polyglot (aka MarsJoke).
It fully mimics the appearance and file processing approach of CTB-Locker. These trends are all expected to increase in 2017. “As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.” GReAT, Threat Predictions for 2017 The thriving ransomware economy The rise of RaaS While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’.

This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own. Ransomware is increasingly for hire on the criminal underground #KLReport Tweet Notable examples of ransomware that appeared in 2016 and use this model are Petya/Mischa and Shark ransomware, which was later rebranded under the name Atom. This business model is increasingly sophisticated: The Petya ransomware partner site The partner often signs up to a traditional commission-based arrangement.

For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission. Petya payment table There is also an initial usage fee.
Someone looking to use the Stompado ransomware, for example, needs to come up with just $39. With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started. From commission-based networks to customer support and branding The most ‘professional’ attackers offered their victims a help desk and technical support, guiding them through the process of buying Bitcoins to pay the ransom, and sometimes even being open to negotiation.

Every step further encouraged the victim to pay. Criminals offer customer support to ensure more victims pay #KLReport Tweet Further, Kaspersky Lab experts studying ransomware in Brazil noticed that for many attacks, branding the ransomware was a matter of some importance.

Those looking for media attention and customer fear would opt for a high profile, celebrity theme or gimmick – while those more concerned about staying under the radar would forgo the temptation of fame and leave their victims facing just an e-mail for contacting the bad guys and a Bitcoin address to pay into. It’s still all about the Bitcoins Throughout 2016, the most popular ransomware families still favored payment in Bitcoins. Most ransomware demands were not excessive, averaging at around $300, although some were charged – and paid – a great deal more. Others, particularly regional and hand-crafted operations, often preferred a local payment option – although this also meant that they were no longer able to hide in plain sight and blend in with the rest of the ransomware noise. Ransomware turned its weapons on business In the first three months of 2016, 17% of ransomware attacks targeted corporates – this equates to an attack hitting a business somewhere in the world every two minutes1.

By the end of Q3 this had increased to 23.9% – an attack every 40 seconds. A business is attacked with ransomware every 40 seconds #KLReport Tweet According to Kaspersky Lab research, in 2016, one in every five businesses worldwide suffered an IT security incident as a result of a ransomware attack. 42% of small and medium-sized businesses were hit by ransomware in the last 12 months. 32% of them paid the ransom. One in five never got their files back, even after paying. 67% of those affected by ransomware lost part or all of their corporate data – and one- in-four spent several weeks trying to restore access. One in five SMBs never gets their data back, even after paying #KLReport Tweet Social engineering and human error remain key factors in corporate vulnerability. One in five cases involving significant data loss came about through employee carelessness or lack of awareness. “We are seeing more targeted ransomware, where criminal groups carefully hand-pick and spear-phish their targets because of the data they possess and/or their reliance on the availability of this valuable data.” John Fokker, Digital team Coordinator with the Dutch National High Tech Crime unit Some industry sectors are harder hit than others, but our research shows that all are at risk There is no such thing as a low-risk sector anymore #KLReport Tweet Industry sector % attacked with ransomware 1 Education 23 2 IT/Telecoms 22 3 Entertainment/Media 21 4 Financial Services 21 5 Construction 19 6 Government/public sector/defence 18 7 Manufacturing 18 8 Transport 17 9 Healthcare 16 10 Retail/wholesale/leisure 16 Ransomware attacks that made the headlines Hospitals became a prime target – with potentially devastating impact as operations were cancelled, patients diverted to other hospitals and more. Hosted desktop and cloud provider VESK paid nearly $23,000 dollars in ransom to recover access to one of its systems following an attack in September. Leading media, including the New York Times, the BBC and AOL were hit by malware carrying ransomware in March 2016. The University of Calgary in Canada, a major research center, acknowledged it had paid around $16,000 to recover emails that been encrypted for a week. A small police station in Massachusetts, ended paying a $500 ransom (via Bitcoin) in order to retrieve essential case-related data, after an officer opened a poisonous email attachment. Even motor racing was hit: a leading NASCAR racing team faced losing data worth millions to a TeslaCrypt attack in April. Fighting Back Through technology The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality.
In addition, a new, free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they use. A new free, AV-independent anti-ransomware tool is available #KLReport Tweet Kaspersky Lab’s Anti-Ransomware Tool for Business is a ‘light’ solution that can function in parallel with other antivirus software.

The tool uses two components needed for the early detection of Trojans: the distributed Kaspersky Security Network and System Watcher, which monitors applications’ activity. Kaspersky Security Network quickly checks the reputation of files and website URLs through the cloud, and System Watcher monitors the behavior of programs, and provides proactive protection from yet-unknown versions of Trojans. Most importantly, the tool can back up files opened by suspicious applications and roll back the changes if the actions taken by programs prove malicious. Through collaboration: The No More Ransom Initiative On 25 July 2016, the Dutch National Police, Europol, Intel Security and Kaspersky Lab announced the launch of the No More Ransom project – a non-commercial initiative that unites public and private organizations and aims to inform people of the dangers of ransomware and help them to recover their data. The online portal currently carries eight decryption tools, five of which were made by Kaspersky Lab.

These can help to restore files encrypted by more than 20 types of cryptomalware.

To date, more than 4,400 victims have got their data back – and more than $1.5 million dollars in ransom demands has been saved. No More Ransom has so far got 4.400 people their data back – and deprived criminals of $1.5 million in ransom #KLReport Tweet In October, law enforcement agencies from a further 13 countries joined the project, including: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom. Eurojust and the European Commission also support the project’s objectives, and more partners from the private sector and law enforcement are expected to be announced soon. “Public/Private partnerships are the essence and the strength of the NMR initiative.

They are essential to effectively and efficiently tackle the problem, providing us with much greater capability and reach than law enforcement could have alone.” Steven Wilson, Head of Europol’s EC3 Standing up to ransomware – how to stay safe Back up data regularly. Use a reliable security solution, and remember to keep key features – such as System Watcher – switched on. Always keep software updated on all the devices you use. Treat email attachments, or messages from people you don’t know, with caution.
If in doubt, don’t open it. If you’re a business, you should also educate your employees and IT teams; keep sensitive data separate; restrict access; and back up everything, always. If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site; you may well find a decryption tool that can help you get your files back. Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency. “We urge people to report an attack.

Every victim holds an essential piece of evidence that provides invaluable insight.
In return, we can keep them informed and protect them from dodgy third-party ‘offers’ to unencrypt data.

But we need to ensure that more law enforcement offices know how to deal with digital crime.” Ton Maas, Digital team Coordinator with the Dutch National High Tech Crime unit Why you shouldn’t pay – advice from the Dutch National High Tech Crime Unit You become a bigger target. You can’t trust criminals – you may never get your data back, even if you pay. Your next ransom will be higher. You encourage the criminals. Can we ever win the fight against ransomware? We believe we can – but only by working together. Ransomware is a lucrative criminal business.

To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks. 1Estimates based on: 17% of 372,602 unique users with ransomware attacks blocked by Kaspersky Lab products in Q1, 2016 and 23.9% of 821,865 unique users with ransomware attacks blocked by Kaspersky Lab products in Q3,2016.

Malware Turns ATMs Into Cash-Spewing Jackpots

The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes.

It is every consumer's dream to find an ATM spitting out cash like a winning slot machine, and it seems that hackers in Eastern Europe have figured out how to make that a reality.

As outlined by Russian security firm Group IB, the hackers are linked to the Buhtrap crew, which stole $28 billion from Russian banks between August 2015 and January 2016, according to Reuters. But while Buhtrap looted ATMs via fraudulent wire transfers, the ATM scammers reportedly use a less hands-on method: "touchless jackpotting."

The remote hack works from anywhere in the world, robbing banks in as little as 10 minutes. The hackers reportedly use a penetration testing tool known as Cobalt Strike, which lets them access servers that control ATMs via bank PCs infected by malicious emails. Accomplices then wait by the targeted ATMs and scoop up the cash as it spits out of the machine.

The hackers reportedly hit financial institutions in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Malaysia, Moldova, the Netherlands, Poland, Romania, Russia, Spain, and the UK. Group IB did not reveal which banks were targeted.

Global ATM manufacturers Diebold Nixdorf and NCR confirmed to PCMag that they are "familiar" with these types of breaches.

"ATM attacks are becoming more complex and sophisticated as hackers dedicate more time to attacking infrastructure," an NCR spokeswoman said in a statement. "Securing one's infrastructure and endpoints is a never-ending and extremely important task that does not depend on the region or attack type."

Diebold Nixdorf, meanwhile, claims there is "no indication to us that this group of fraudsters is active in Europe or the Americas."

But that doesn't mean they won't be. "Logical attacks on ATMs are expected to become one of the key threats targeting banks," according to Dmitry Volkov, head of the Group IB investigation department.

"They enable cybercriminals to commit fraud remotely from anywhere globally and attack the whole ATM network without being 'on the radar' of security services," he said in a statement. "This type of attack does not require development of expensive advanced software—a significant amount of the tools used are widely available on the deep Web."

As the Wall Street Journal reports, the FBI recently warned US banks to look out for potential attacks, following incidents in Taiwan and Thailand over the summer.

"Every bank is under threat of logical attacks on ATMs and should be protected accordingly," Volkov added.

IT threat evolution Q3 2016. Statistics

 Download the full report (PDF) Statistics All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity. Q3 figures According to KSN data, Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects: scripts, exploits, executable files, etc. Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,198,264 user computers. Crypto ransomware attacks were blocked on 821,865 computers of unique users. Kaspersky Lab’s file antivirus detected a total of 116,469,744 unique malicious and potentially unwanted objects. Kaspersky Lab mobile security products detected: 1,520,931 malicious installation packages; 30,167 mobile banker Trojans (installation packages); 37,150 mobile ransomware Trojans (installation packages). Mobile threats Q3 events Pokémon GO: popular with users and hackers One of the most significant events of the third quarter was the release of Pokémon GO. Of course, cybercriminals could not ignore such a popular new product and tried to exploit the game for their own purposes. This was primarily done by adding malicious code to the original app and spreading malicious versions via third-party stores. This method was used, for example, to spread Trojan-Banker.AndroidOS.Tordow, which exploits vulnerabilities in the system to obtain root access to a device. With root access, this Trojan protects itself from being deleted, and it can also steal saved passwords from browsers. But perhaps the most notable case of Pokémon GO’s popularity being used to infect mobile devices involved fraudsters publishing a guide for the game in the official Google Play store. The app turned out to be an advertising Trojan capable of gaining root access to a device by exploiting vulnerabilities in the system. We later came across two more modifications of this Trojan, which were added to Google Play under the guise of different apps. According to Google Play data, one of them, imitating an equalizer, was installed between 100,000 and 500,000 times. Trojan.AndroidOS.Ztorg.ad in the official Google Play store Interestingly, one of the methods used by the cybercriminals to promote the Trojan was a company that pays users for the installation of advertising apps. Screenshot of the app that prompts the user to install the Trojan for 5 cents According to this company’s rules, it doesn’t work with users whose devices have root access. The users may be looking to earn some money, but they end up with an infected device and don’t actually receive any money, because after infection the device gains root access. Ad with a Trojan The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold. Over 97% of users attacked by Svpeng were located in Russia. The attackers managed to make the Trojan so popular by advertising it via Google AdSense – one of the most popular advertising networks on the Russian Internet. Many popular sites use it to display targeted advertising. Anyone can pay to register their ad on the network, and that was exactly what the attackers did. Along with the advert, however, they added the AdSense Trojan. When a user visited the page with the advert, Svpeng was downloaded to their device. Bypassing protection mechanisms in Android 6 In our report for the second quarter of 2016 we mentioned the Trojan-Banker.AndroidOS.Asacub family that can bypass several system controls. Of special note this quarter is the Trojan-Banker.AndroidOS.Gugi family that has learned to bypass the security mechanisms introduced in Android 6 by tricking the user. The Trojan first requests rights to overlay other applications, and then uses those rights to trick the user into giving it privileges to work with text messages and to make calls. Trojan ransomware in the Google Play store In the third quarter, we registered the propagation of Trojan-Ransom.AndroidOS.Pletor.d, a mobile ransomware program, via Google Play. The Trojan imitated an app for servicing devices, including deleting unnecessary data, speeding up device performance and even antivirus protection. Trojan-Ransom.AndroidOS.Pletor.d in Google Play The Trojan checks which country the device is located in, and if it is not Russia or Ukraine, it requests administrator rights and calls the command server. Earlier versions of this Trojan encrypted user data, but this modification doesn’t possess such functionality. Instead, the Trojan blocks operation of the device by opening a window that covers all other open windows and demanding a ransom to unblock it. Mobile threat statistics In Q3 2016, Kaspersky Lab detected 1,520,931 malicious installation packages, which is 2.3 times fewer than in the previous quarter. Number of detected malicious installation packages (Q4 2015 – Q1 2016) Distribution of mobile malware by type Distribution of new mobile malware by type (Q2 2016 and Q3 2016) In Q3 2016, RiskTool software, or legitimate applications that are potentially dangerous to users, topped the rating of malicious objects detected for mobile devices. Their share continued to grow from 45.1% in Q2 to 55.8% this quarter. Due to the large number of RiskTool programs and the considerable increase in their overall share of the total flow of detected objects, the proportion of almost all other types of malicious programs decreased, even where the actual number of detected programs increased compared to the previous quarter. The most affected was Trojan-Ransom – its share decreased from 5.72% to 2.37%. This was caused by a decline in activity by the Trojan-Ransom.AndroidOS.Fusob family (covered in more detail below). At the same time, we registered a slight growth in the share of Trojan-Bankers – from 1.88% to 1.98%. TOP 20 mobile malware programs Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware. Name % of attacked users* 1 DangerousObject.Multi.Generic 78,46 2 Trojan-Banker.AndroidOS.Svpeng.q 11,45 3 Trojan.AndroidOS.Ztorg.t 8,03 4 Backdoor.AndroidOS.Ztorg.c 7,24 5 Backdoor.AndroidOS.Ztorg.a 6,55 6 Trojan-Dropper.AndroidOS.Agent.dm 4,91 7 Trojan.AndroidOS.Hiddad.v 4,55 8 Trojan.AndroidOS.Agent.gm 4,25 9 Trojan-Dropper.AndroidOS.Agent.cv 3,67 10 Trojan.AndroidOS.Ztorg.aa 3,61 11 Trojan-Banker.AndroidOS.Svpeng.r 3,44 12 Trojan.AndroidOS.Ztorg.pac 3,31 13 Trojan.AndroidOS.Iop.c 3,27 14 Trojan.AndroidOS.Muetan.b 3,17 15 Trojan.AndroidOS.Vdloader.a 3,14 16 Trojan-Dropper.AndroidOS.Triada.s 2,80 17 Trojan.AndroidOS.Muetan.a 2,77 18 Trojan.AndroidOS.Triada.pac 2,75 19 Trojan-Dropper.AndroidOS.Triada.d 2,73 20 Trojan.AndroidOS.Agent.eb 2,63 * Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked. First place is occupied by DangerousObject.Multi.Generic (78.46%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected. In Q3 2016, 17 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them. In Q3 2016, attempted infections by financial #malware were registered at 1.2m users’ computers #KLreport #banking Tweet With root access on the device, Trojans can do many different things without the user being aware, such as installing apps from Google Play, including paid apps. It’s worth noting that the Trojans from the Ztorg family, which occupied four places in the TOP 20, are often distributed via the official Google Play store. Since the end of 2015, we have registered more than 10 such cases (including a fake guide for Pokemon GO). Several times the Trojan notched up over 100,000 installations, and on one occasion it was installed more than 500,000 times. Trojan.AndroidOS.Ztorg.ad masquerading as a guide for Pokemon GO in Google Play The ranking also included two representatives of the Trojan-Banker.AndroidOS.Svpeng mobile banker family. As we mentioned above, Svpeng.q became the most popular malware in the third quarter of 2016. This was down to the Trojan being distributed via the AdSense advertising network, which is used by a large number of sites on the Russian segment of the Internet. The geography of mobile threats The geography of attempted mobile malware infections in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Bangladesh 35,57 2 Nepal 31.54 3 Iran 31.38 4 China 26.95 5 Pakistan 26.83 6 Indonesia 26.33 7 India 24,35 8 Nigeria 22.88 9 Algeria 21,82 10 The Philippines 21.67 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country. Bangladesh topped the rating, with almost 36% of users there encountering a mobile threat at least once during the quarter. China, which came first in this rating two quarters in a row, dropped to fourth place. The most popular mobile malware in all the countries of this rating (except China) was the same – advertising Trojans that mostly belonged to the Ztorg, Iop, Hiddad and Triada families. A significant proportion of attacks in China also involved advertising Trojans, but the majority of users there encountered Trojans from the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families. Russia (12.1%) came 24th in this rating, France (6.7%) 52nd, the US (5.3%) 63rd, Italy (5.1%) 65th, Germany (4.9%) 68th, and the United Kingdom (4.7%) 71st. The situation in Germany and Italy has improved significantly: in the previous quarter, 8.5% and 6.2% of users in those countries respectively were attacked. This was due to a decline in activity by the Fusob family of mobile ransomware. The safest countries were Austria (3.3%), Croatia (3.1%) and Japan (1.7%). Mobile banking Trojans Over the reporting period, we detected 30,167 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q2. Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions(Q4 2015 – Q3 2016) Trojan-Banker.AndroidOS.Svpeng became the most popular mobile banking Trojan in Q3 due to its active distribution via the advertising network AdSense. More than half the users that encountered mobile banking Trojans in the third quarter faced Trojan-Banker.AndroidOS.Svpeng.q. It was constantly increasing the rate at which it spread – in September the number of users attacked by the Trojan was almost eight times greater than in June. The number of unique users attacked by the Trojan-Banker.AndroidOS.Svpeng banking Trojan family(June-September 2016) Over 97% of attacked users were in Russia. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking. Geography of mobile banking threats in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked) Country* % of users attacked** 1 Russia 3.12 2 Australia 1.42 3 Ukraine 0.95 4 Uzbekistan 0.60 5 Tajikistan 0.56 6 Kazakhstan 0.51 7 China 0.49 8 Latvia 0.47 9 Russia 0.41 10 Belarus 0.37 * We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country. In Q3 2016, first place was occupied by Russia (3.12%) where the proportion of users that encountered mobile banker Trojans almost doubled from the previous quarter. In second place again was Australia (1.42%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. The most widely distributed mobile banking Trojans in Q3 were representatives of the Svpeng, Faketoken, Regon, Asacub, Gugi and Grapereh families. In particular, the third quarter saw the Trojan-Banker.AndroidOS.Gugi family learn how to bypass protection mechanisms in Android by tricking users. Mobile Ransomware In Q3 2016, we detected 37,150 mobile Trojan-Ransomware installation packages. Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab(Q4 2015 – Q3 2016) The sharp rise in the number of mobile Trojan-Ransomware installation packages in Q1 and Q2 of 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware; in Q2 it accounted for 85%. Its share in Q3 was 73%. Number of users attacked by the Trojan-Ransom.AndroidOS.Fusob family, January-September 2016 The highest number of users attacked by the mobile Trojan-Ransomware family was registered in March 2016. Since then the amount of attacked users has been decreasing, especially in Germany. Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device. Geography of mobile Trojan-Ransomware in Q3 2016 (percentage of all users attacked) TOP 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked) Country* % of users attacked ** 1 Canada 0.95 2 USA 0.94 3 Kazakhstan 0.71 4 Germany 0.63 5 UK 0.61 6 Mexico 0.58 7 Australia 0.57 8 Spain 0,54 9 Italy 0.53 10 Switzerland 0.51 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country. In all the TOP 10 countries apart from Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. This Trojan family emerged in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng family. These Trojans demand a ransom of $100-$500 from victims to unblock their devices. In Q3 2016, #crypto #ransomware attacks were blocked on 821,865 unique computers #KLreport Tweet In Kazakhstan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks the operation of a device by overlaying all the windows with its own and demanding $10 to remove it. Vulnerable apps exploited by cybercriminals In Q3 2016, the Neutrino exploit kit departed the cybercriminal market, following in the wake of Angler and Nuclear which also left the market in the previous quarter. RIG and Magnitude remain active. RIG was especially prominent – it has quickly filled the vacant niche on the exploit kit market. This is the overall picture for the use of exploits this quarter: Distribution of exploits used in attacks by the type of application attacked, Q3 2016 Exploits for different browsers and their components (45%) once again topped the rating, although their share decreased by 3 percentage points. They are followed by exploits for Android OS vulnerabilities (19%), whose share fell 5 p.p. in the third quarter. Exploits kits for Microsoft Office rounded off the top three. Their contribution actually saw an increase from 14% to 16% in Q3. Exploits for Adobe Flash Player remained popular. In fact, their share more than doubled from 6% to 13%. This was caused by the aforementioned RIG exploit kit: its use in several campaigns saw the share of SWF exploits increase dramatically. Online threats (Web-based attacks) The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources. In the third quarter of 2016, Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects (scripts, exploits, executable files, etc.) and 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world. Online threats in the banking sector These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,198,264 computers in Q3 2016. The number of users attacked by financial malware increased by 5.8% from the previous quarter (1,132,031). The third quarter is traditionally holiday season for many users of online banking services in Europe, which means the number of online payments made by these users increases during this period. This inevitably sees an increase in financial risks. Number of users attacked by financial malware, Q3 2016 In Q3, the activity of financial threats grew month on month. Geography of attacks To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country. Geography of banking malware attacks in Q3 2016 (percentage of attacked users) TOP 10 countries by percentage of attacked users Country* % of attacked users** 1 Russia 4.20 2 Sri Lanka 3.48 3 Brazil 2.86 4 Turkey 2.77 5 Cambodia 2.59 6 Ukraine 1.90 7 Venezuela 1.90 8 Vietnam 1.86 9 Argentina 1.86 10 Uzbekistan 1.77 These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country. In the third quarter of 2016, Russia had the highest proportion of users attacked by banking Trojans. Representatives of the Trojan-Banker ZeuS (Zbot) family, which leads the way in terms of the number of attacked users worldwide, were especially active in Russia. This is unsurprising since Russian cybercriminals are allegedly behind the development of this malware. They know the specifics of Russia’s online banking systems as well as the mentality of Russian users and take them into consideration when developing their malware. In Russia, the Gozi banking Trojan continues to proliferate. It displayed a burst of activity in the previous quarter after its developers joined forces with the creators of the Nymaim Trojan. Russia also topped the TOP 10 countries with the highest proportion of users attacked by mobile bankers. Sri Lanka, a favorite destination with tourists, was a newcomer to the rating, going straight in at second. Financial threats were encountered by 3.48% of users in the country. Among them are likely to be foreigners who arrived in the country on holiday and used online banking services to make payments. The most active representatives of banking malware in the region were those from the Fsysna banker family. This family has previously been noted for attacks targeting customers of Latin American banks. In Q3 2016, @kaspersky #mobile security products detected 1.5m malicious installation packages #KLreport Tweet Brazil rounds off the top three for the second quarter in a row. In Q2, we forecast a surge of financial threat activity in Latin America and specifically in Brazil because of this summer’s Olympic Games. However, the increase in the proportion of users attacked in Brazil was negligible: in the third quarter, 2.86% of users in Brazil encountered financial threats compared to 2.63% in Q2. At the same time, users in Argentina were subjected to a surge in malicious attacks, and as a result, the country ranked ninth. The holiday season affected almost all countries in the TOP 10. In Russia, Ukraine and Uzbekistan, people traditionally have vacations at this time of the year, while other countries (Sri Lanka, Brazil, Turkey, Cambodia, etc.) are considered popular tourist destinations. Tourists tend to be active users of online banking systems, which in turn attracts cybercriminals and their banking malware. The share of banking Trojan victims in Italy was 0.60%, in Spain it was 0.61%, while in Germany and the UAE the figures were 1.21% and 1.14% respectively. The TOP 10 banking malware families The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked): Name* % of attacked users** 1 Trojan-Spy.Win32.Zbot 34.58 2 Trojan.Win32.Qhost/Trojan.BAT.Qhost 9.48 3 Trojan.Win32.Fsysna 9.467 4 Trojan-Banker.Win32.Gozi 8.98 5 Trojan.Win32.Nymaim 8.32 6 Trojan-Banker.Win32.Shiotob 5.29 7 Trojan-Banker.Win32.ChePro 3.77 8 Trojan-Banker.Win32.BestaFera 3.31 9 Trojan-Banker.Win32.Banbra 2.79 10 Trojan.Win32.Neurevt 1.79 * The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware. The undisputed leader of the rating is Trojan-Spy.Win32.Zbot. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original. The family of Qhost Trojans (verdicts Trojan.Win32.Qhost and Trojan.BAT.Qhost) came second. The functionality of this family’s malicious programs is relatively simple: the Trojan modifies the content of the Host file (a special text file that contains a database of domain names that are used when transmitting to the network addresses of nodes) and as soon as specific resources are visited, the Trojan’s malicious components are loaded to an infected workstation and used to steal payment information. The Trojan adds a number of records to the Host file preventing the user’s browser from connecting to web-based apps and resources of popular antivirus vendors. The Q3 rating also includes a new malware representative that has already demonstrated its capabilities in Sri Lanka – the Trojan.Win32.Fsysna family of banking Trojans. Members of this family, in addition to stealing payment data from infected workstations, are also used by cybercriminals to distribute spam. The Trojan uses an infected machine to redirect spam messages from the command center to a mail server. Some representatives of this family also possess Trojan cryptor functionality. Fsysna is kind of a ‘Swiss army knife’ used by cybercriminals to steal money. Q3 2016 saw a decline in the activity of the notorious financial threat Trojan-Spy.Win32.Lurk: the number of users attacked by this malware fell by 7.1%. Lurk was not included in the TOP 10 banking malware families, but it still poses a threat to users of online banking systems. The cybercriminal group behind this financial threat has been arrested (something we wrote about in a separate article), so we expect to see a further decrease in activity by this banking Trojan next quarter. Ransomware Trojans Cryptors are currently one of the biggest threats to users and companies. These malicious programs are becoming more and more popular in the cybercriminal world because they are capable of generating large profits for their owners. A total of 21 new cryptor families and 32,091 new modifications were detected in Q3. We also added several existing cryptor families to our virus collection. The number of new cryptor families added to our virus collection is slightly less than in the second quarter (25), but the number of newly created modifications increased 3.5 times compared to the previous quarter. The number of newly created cryptor modifications, Q1 – Q3 2016 Malware writers are constantly trying to improve their creations. New ways to infect computers are always being sought, especially for attacks on companies, which cybercriminals see as far more profitable than attacks on standard users. Remote launching of cryptors by cybercriminals We are increasingly seeing incidents where cybercriminals crack passwords to gain remote access to a victim’s system (usually an organization) and infect a compromised machine with Trojan ransomware. Examples of this in Q3 were Dcryptor and Xpan. Dcryptor/Mamba Trojan-Ransom.Win32.Dcryptor is known on the Internet under the pseudonym ‘Mamba’. Infection is carried out manually. The fraudsters brute-force the passwords for remote access to the victim machine and run the Trojan, passing on the password for encryption as a command line argument. During infection, the Trojan uses the legitimate DiskCryptor utility. As a result, it’s not just individual files on network drives that are infected but entire hard drive sectors on the local machine. System boot is blocked: once the computer is started, a message appears on the screen demanding a ransom and displaying an email address for communicating with the attackers. This Trojan reminds us of the notorious Petya/Mischa Trojan and continues the growing trend of cybercriminals looking for new ways to block access to data. Xpan/TeamXRat ransomware Trojan-Ransom.Win32.Xpan is yet another example of ransomware that is launched after attackers remotely penetrate a system. This Trojan is distributed by Brazilian cybercriminals. They brute-force the RDP password (the standard protocol for remote access to Windows computers) and infect the compromised system using the Xpan Trojan that encrypts files and displays a ransom demand. Ransomware in scripting languages Another trend that has attracted our attention is the growing number of cryptors written in scripting languages. In the third quarter of 2016, we came across several new families written in Python: HolyCrypt (Trojan-Ransom.Python.Holy) CryPy (Trojan-Ransom.Python.Kpyna) Trojan-Ransom.Python.Agent Another example that emerged in June was Stampado (Trojan-Ransom.Win32.Stampa) written in AutoIt, the automation language. The number of users attacked by ransomware In Q3 2016, 821,865 unique KSN users were attacked by cryptors – that is 2.6 times more than the previous quarter. Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2016) The largest contribution was made by representatives of the Trojan-Downloader.JS.Cryptoload family. These Trojan downloaders, written in JavaScript, were designed to download and install representatives of different cryptor families in the system. Geography of Trojan-Ransomattacks in Q3 2016 (percentage of attacked users) Top 10 countries attacked by cryptors Country* % of users attacked by cryptors** 1 Japan 4.83 2 Croatia 3.71 3 Korea 3.36 4 Tunisia 3.22 5 Bulgaria 3.20 6 Hong Kong 3.14 7 Taiwan 3.03 8 Argentina 2.65 9 Maldives 2.63 10 Australia 2.56 * We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 10,000).** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country. As in the previous quarter, Japan topped this rating. Newcomers to this Top 10 were Tunisia, Hong Kong, Argentina, and Australia, with Italy, Djibouti, Luxembourg, and the Netherlands all making way. Top 10 most widespread cryptor families Name Verdict* % of attacked users** 1 CTB-Locker Trojan-Ransom.Win32.Onion/ Trojan-Ransom.NSIS.Onion 28.34 2 Locky Trojan-Ransom.Win32.Locky 9.60 3 CryptXXX Trojan-Ransom.Win32.CryptXXX 8.95 4 TeslaCrypt Trojan-Ransom.Win32.Bitman 1.44 5 Shade Trojan-Ransom.Win32.Shade 1.10 6 Cryakl Trojan-Ransom.Win32.Cryakl 0.82 7 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.73 8 Cerber Trojan-Ransom.Win32.Zerber 0.59 9 CryptoWall Trojan-Ransom.Win32.Cryptodef 0.58 10 Crysis Trojan-Ransom.Win32.Crusis 0.51 * These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware. CTB-Locker once again occupied first place in the Q3. The top three also included the now infamous Locky and CryptXXX. Despite the fact that the owners of TeslaCrypt disabled their servers and posted a master key to decrypt files back in May 2016, it continues to make it into our rating (although its contribution dropped by 5.8 times in Q3) Crysis Crysis (verdict Trojan-Ransom.Win32.Crusis) was a newcomer to the TOP 10 in Q3. This Trojan was first detected in February 2016 and since then has undergone several code modifications. Interestingly, the list of email addresses used for ransom demands by the distributors of Crysis partly matches the list associated with the Cryakl and Aura Trojans. Analysis of the executable files from these families, however, shows that they do not share the same code. It appears that these malicious programs are spread via a partner scheme, and because some distributors are distributing several different Trojans simultaneously they are using the same email address to communicate their ransom demands to the victims. Polyglot/MarsJoke This Trojan appeared in August 2016 (we recently published a detailed analysis of Polyglot/ MarsJoke). It is not included in the TOP 10, but it does have one interesting feature: the authors have tried to imitate the well-known CTB-Locker, which tops the rating for the second quarter in a row. Both the external and internal design of this piece of malware is very similar to the “original”, but the cybercriminals made a mistake that allows files to be decrypted without paying a ransom. Top 10 countries where online resources are seeded with malware The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established. In Q3 2016, Kaspersky Lab solutions blocked 171,802,109 attacks launched from web resources located in 190 countries around the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components. 83% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries. Distribution of web attack sources by country, Q3 2016 The US (33.51%) remained top of this rating in Q3. Russia (9%) dropped from second to fourth, while Germany came second with a share of 10.5%. Canada left the Top 10, with Cyprus a newcomer in ninth place (1.24%). Countries where users faced the greatest risk of online infection In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries. In Q3 2016, 30,167 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport Tweet Please note that starting this quarter, this rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked ** 1 Slovenia 30.02 2 Bulgaria 29.49 3 Armenia 29.30 4 Italy 29.21 5 Ukraine 28.18 6 Spain 28.15 7 Brazil 27.83 8 Belarus 27.06 9 Algeria 26.95 10 Qatar 26.42 11 Greece 26.10 12 Portugal 26.08 13 Russia 25.87 14 France 25.44 15 Kazakhstan 25.26 16 Azerbaijan 25.05 17 United Arab Emirates 24.97 18 Vietnam 24.73 19 China 24.19 20 Albania 23.23 These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. * These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country. On average, 20.2% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter. Geography of malicious web attacks in Q3 2016 (ranked by percentage of users attacked) The countries with the safest online surfing environments included Croatia (14.21%), the UK (14.19%), Singapore (13.78%), the US (13.45%), Norway (13.07%), Czech Republic (12.80%), South Africa (11.98%), Sweden (10.96%), Korea (10.61%), the Netherlands (9.95%), Japan (9.78%). Local threats Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.). Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. In Q3 2016, Kaspersky Lab’s file antivirus detected 116,469,744 unique malicious and potentially unwanted objects. Countries where users faced the highest risk of local infection For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries. In Q3 2016, @kaspersky #mobile security products detected 37,150 mobile #ransomware Trojans #KLreport Tweet Please note that starting this quarter, the rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware. Country* % of users attacked** 1 Vietnam 52.07 2 Afghanistan 52.00 3 Yemen 51.32 4 Somalia 50.78 5 Ethiopia 50.50 6 Uzbekistan 50.15 7 Rwanda 50,14 8 Laos 49.27 9 Venezuela 49.27 10 Philippines 47.69 11 Nepal 47.01 12 Djibouti 46.49 13 Burundi 46,17 14 Syria 45.97 15 Bangladesh 45.48 16 Cambodia 44.51 17 Indonesia 43.31 18 Tajikistan 43,01 19 Mozambique 42.98 20 Myanmar 42.85 These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. * These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products. An average of 22.9% of computers globally faced at least one Malware-class local threat during the third quarter. The safest countries in terms of local infection risks were: Spain (14.68%), Singapore (13.86%), Italy (13.30%), Finland (10.94%), Norway (10.86%), France (10.81%), Australia ( 10.77%), Czech Republic (9.89%), Croatia (9.70%), Ireland (9.62%), Germany (9.16%), the UK (9.09%), Canada (8.92%), Sweden (8.32%), the USA (8.08%), Denmark (6.53%), and Japan (6.53%).

Watch Out for Malware in Those Wikileaks Email Dumps

A security researcher found more than 300 instances of malware available for download on Wikileaks. Amid the vast treasure trove of state secrets that Wikileaks has released are quite a few emails containing malware, a Bulgarian security researcher discovered this week. Vesselin Bontchev, an engineer at Bulgaria's National Laboratory of Computer Virology, found that the Wikileaks database currently contains more than 300 emails with malicious attachments, The Register reports. Bontchev posted links to each of the emails on Github, as well as the URLs on the Wikileaks site that host the malware. Most of the emails are garden-variety phishing scams—the type that alert you to an important shipment or bank transfer coming your way and ask you to enter your personal details to confirm it. One appeared to be imitating shipping giant Maersk, and purported to have an invoice confirmation attached. Many others originated from or were sent to email addresses with Turkish domain names, possibly linking them to the more than 300,000 emails Wikileaks published following the failed military coup in Turkey last month. For each email, Bontchev included a link to online virus-scanning tool VirusTotal to confirm that the included attachment is indeed malware. "The list is by no means exhaustive; I am just starting with the analysis," he wrote on Github. "But what is listed below is definitely malware; no doubts about it." Wikileaks appears to offer no warnings on its website about potential malware contained in the emails it posts.

A spokesperson did not immediately respond to PCMag's request for comment on how it screens email attachments. After its 2010 release of American diplomatic cables propelled Wikileaks to international attention, the organization again generated controversy in the US last month when it posted hacked emails from the Democratic National Committee.

Founder Julian Assange has refused to identify the source of those emails, though many security experts—and the FBI—believe they may have been hacked by Russian cybercriminals.

WikiLeaks uploads 300+ pieces of malware among email dumps

Freedom. Justice. Openness.

And some entirely avoidable p0wnage for good luck WikiLeaks is hosting 324 confirmed instances of malware among its caches of dumped emails, a top Bulgarian anti-malware veteran says. Random checks of reported malware hashes find the trojans are flagged as malware by Virus Total's static analysis checks. Much of the malware appear to be attachments emailed by black hats in a bid to compromise the various parties affected in the WikiLeaks dumps. Dr Vesselin Bontchev (@bontchev) says the instances of malware are only those confirmed and found in an initial search effort. Dr Bontchev, an antivirus researcher of nearly 30 years and former founder of the National Laboratory of Computer Virology in Bulgaria, said there were "no doubts" that the malware hosted on WikiLeaks was indeed malware. "The list is by no means exhaustive; I am just starting with the analysis," Bontchev says. "But what is listed below is definitely malware; no doubts about it." The document dumpster uploads attachments for the emails it releases but offers no warning about the security implications of downloading macro-enabled documents, executables, and other potentially malicious files. A feasibly simple antivirus check would have cleared a lot if not all of the attachment malware given the huge 80 to 100 percent hit rate Virus Total returned when testing files selected randomly from Dr Bontchev's list. ® Sponsored: 2016 Cyberthreat defense report

Trump's 'extreme' anti-terrorism vetting may be H-1B nightmare

Donald Trump’s call for "extreme vetting" of visa applications, as well as the temporary suspension of immigration from certain countries, would raise fees and add delays for anyone seeking a visa, including H-1B visas, immigration experts said. In particular, a plan by Trump, the Republican presidential candidate, to stop issuing visas -- at least temporarily -- "from some of the most dangerous and volatile regions of the world" may make it difficult for a significant number of people to get visas. Data assembled by Computerworld through a Freedom of Information Act request shows foreign workers come from all corners of the world, including "dangerous and volatile regions." Trump outlined his immigration enforcement plan in a speech Monday. In 2014, the U.S. approved more than 370,000 H-1B applications.
Some were new entries, and others were for previously approved workers who were either renewing or updating their status. Of that number, 2,234 of the H-1B visa holders were from Pakistan, a country that might appear on a Trump list.

Another 1,102 approved visa holders were from Iran.

There were 658 H-1B visa holders from Egypt, and 256 were from Syria. (Article continues below chart.) Country of Birth for H-1B Visa Holders Country Frequency INDIA 262,730 CHINA 29,936 CANADA 7,653 PHILIPPINES 6,055 KOREA, SOUTH 5,024 UNITED KINGDOM 3,822 MEXICO 3,216 TAIWAN 2,785 FRANCE 2,570 JAPAN 2,268 PAKISTAN 2,234 NEPAL 1,997 GERMANY 1,895 TURKEY 1,850 BRAZIL 1,831 ITALY 1,497 COLOMBIA 1,491 RUSSIA 1,461 VENEZUELA 1,432 SPAIN 1,329 IRAN 1,102 NIGERIA 1,015 ISRAEL 949 IRELAND 932 KOREA 813 UKRAINE 795 ARGENTINA 778 MALAYSIA 771 SINGAPORE 755 VIETNAM 695 EGYPT 658 ROMANIA 648 BANGLADESH 647 INDONESIA 637 SRI LANKA 608 PERU 583 POLAND 576 AUSTRALIA 564 GREECE 556 SOUTH AFRICA 547 HONG KONG 503 BULGARIA 477 THAILAND 476 LEBANON 462 JAMAICA 461 KENYA 437 NETHERLANDS 432 JORDAN 415 CHILE 395 SWEDEN 374 NEW ZEALAND 353 GHANA 341 TRINIDAD AND TOBAGO 333 ECUADOR 302 SYRIA 256 PORTUGAL 253 SWITZERLAND 249 BELGIUM 238 DOMINICAN REPUBLIC 231 SAUDI ARABIA 205 ZIMBABWE 205 HUNGARY 203 Spain 189 AUSTRIA 179 UNKNOWN 179 DENMARK 174 HONDURAS 171 COSTA RICA 165 UNITED ARAB EMIRATES 155 BOLIVIA 150 CZECH REPUBLIC 149 GUATEMALA 149 EL SALVADOR 147 SERBIA AND MONTENEGRO 142 KUWAIT 141 MOROCCO 138 ETHIOPIA 133 CAMEROON 126 FINLAND 125 BAHAMAS 123 MOLDOVA 111 KAZAKHSTAN 108 SLOVAK REPUBLIC 103 CROATIA 102 NORWAY 102 ARMENIA 101 UZBEKISTAN 101 PANAMA 99 URUGUAY 94 ALBANIA 88 UGANDA 88 USSR 87 Serbia 86 LIBYA 84 MONGOLIA 83 TANZANIA 83 BURMA 76 NIGER 74 LITHUANIA 70 GEORGIA 66 GRENADA 58 SENEGAL 58 BARBADOS 57 MACEDONIA 56 LATVIA 54 AZERBAIJAN 52 BOSNIA-HERZEGOVINA 51 CYPRUS 51 ST. LUCIA 51 IRAQ 50 SLOVENIA 50 BELIZE 48 ICELAND 47 ZAMBIA 47 GUYANA 45 NICARAGUA 45 PARAGUAY 45 BAHRAIN 43 TUNISIA 43 ALGERIA 42 MAURITIUS 42 DOMINICA 40 USA 39 ESTONIA 35 KYRGYZSTAN 34 HAITI 30 RWANDA 28 BURKINA FASO 26 MACAU 25 TURKMENISTAN 25 CAMBODIA 24 COTE D'IVOIRE 24 TAJIKISTAN 24 CONGO 22 ST. KITTS-NEVIS 22 SUDAN 22 MALAWI 21 OMAN 21 ST.
VINCENT/GRENADINES 21 MALI 20 ANTIGUA-BARBUDA 19 BOTSWANA 18 IVORY COAST 18 BERMUDA 17 BENIN 16 AFGHANISTAN 15 Kosovo 15 QATAR 15 LUXEMBOURG 13 MADAGASCAR 13 Montenegro 13 YEMEN-SANAA 13 TOGO 12 SIERRA LEONE 11 YUGOSLAVIA 11 GABON 10 GAMBIA 10 NORTHERN IRELAND 10 MALTA 8 NAMIBIA 8 SURINAME 8 SWAZILAND 8 BHUTAN 7 FIJI 7 FRENCH POLYNESIA 7 MOZAMBIQUE 7 BURUNDI 6 CUBA 6 GUINEA 6 LIBERIA 6 BRUNEI 5 NETHERLANDS ANTILLES 5 ARUBA 4 ERITREA 4 KIRIBATI 4 LESOTHO 4 MALDIVES 4 MAURITANIA 4 ANGOLA 3 CAPE VERDE 3 CHAD 3 DEMOCRATIC REPUBLIC OF CONGO 3 SEYCHELLES 3 UNITED STATES 3 ANGUILLA 2 LAOS 2 SOMALIA 2 ARABIAN PENINSULA 1 CAYMAN ISLANDS 1 DJIBOUTI 1 GERMANY, WEST 1 GIBRALTAR 1 GUINEA-BISSAU 1 MARTINIQUE 1 MONACO 1 REUNION 1 Samoa 1 SAO TOME AND PRINCIPE 1 ST.
VINCENT-GRENADINES 1 STATELESS 1 TONGA 1 TURKS AND CAICOS ISLANDS 1 VANUATU 1 Source: USCIS data for approved applications in fiscal year 2014 Trump's plan to admit only people "who share our values and respect our people" didn't indicate how it would be applied.
It also didn't say whether all visa holders -- visitor, H-1B and green card -- would be subject to an ideological litmus test. And what is the correct answer to such a question about American values? "If you ask people born in this country what is an American ideology, I'm not quite sure that we would come out with one answer," said Jessica Lavariega-Monforti, a professor and chair of the political science department at Pace University in New York. "The immigration system, as it currently stands, could not process additional vetting without creating backlogs and increasing wait times for applicants.

At the same time, it is unclear how these policy changes would increase safety against a terrorist attack," said Lavariega-Monforti. John Lawit, an immigration attorney in Irving, Texas, said the U.S. already has a vetting process that begins as soon as someone applies for a tourist visa.

There are different levels of threat, such as being a citizen of Syria, that trigger a much higher level of vetting, he said. "There is a huge financial commitment that must be made in terms of human resources in order to carry on such a vetting program, and a huge, huge increase in fees,” Lawit said. Requiring oaths of some kind is "a lot of posturing with very little substance," he added, and are ineffective in improving security. Lawit said he once assisted H-1B workers who were employed in non-classified jobs at the Sandia and Los Alamos National Laboratories.

The processing time for security checks could run months.

That's an example of extreme vetting, while "extraordinary detailed security investigations are conducted," he said. This story, "Trump's 'extreme' anti-terrorism vetting may be H-1B nightmare" was originally published by Computerworld.