Ransomware Negotiation, Windows 10 Backdoor, Fileless Malware Removal: Security Snacks Oct-24-18


Adaptiva presents Security Snacks

This week in security snacks, we have:

  • Ransomware negotiation tips
  • A Windows 10 backdoor
  • Phisher’s Favorites
  • Industrial site insecurity
  • Fileless malware removal

Let the snacking begin….

Ransomware Negotiation Tips


If you ever have to pay extortion money to restore data held hostage, proceed carefully and use best practices for negotiating the process.


Paying ransomware is a last resort! I hope none of you ever face it. If you do though, here are seven best practices to maximize the chances of a successful restoration.

  • Engage with the hackers quickly
  • Verify that the attacker has your data and can decrypt it
  • Don’t be afraid to haggle on price
  • Determine who should lead negotiations with cybercriminals
  • Have a plan to deal with all internal and external stakeholders
  • Know the laws and regulations
  • Invest in security rather than stockpile bitcoin


For a lot more detail on how to negotiate with data extortionists, read this CSO Online feature titled 7 best practices for negotiating ransomware payments.

Windows 10 Backdoor Escalates Local Privileges


Ne’er-do-well cyberacckers can give Windows 10 guest/local accounts admin rights, and Microsoft has not released a fix or solution as of yet.


Evildoers can use a backdoor to elevate Windows 10 guest/local account privileges by monkeying with the registry. According to ZDNet, “the technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).” It’s a code at the end of each account security identifier (SID) that defines the user’s permissions group (501 for guest, 500 for admin, etc.).

If  you’d like to actually understand this, you may want to watch this YouTube video of an explanation from the security researcher who discovered it.

Microsoft has not responded, and it’s not clear how significant the threat is. Obviously, a person has to have access to the system in the first place to use this.


Read more in this ZDNet article, Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months.

Phisher’s Favorites


You can’t stop users from clicking on phishing emails, but maybe you can raise their awareness by tell them which brands are most frequently impersonated.


A security company tracks and reports on the most common phishing attacks, and publishes a quarterly Phisher’s Favorites. The latest release reveals that:

  • Microsoft tops the list as the most impersonated company
  • About 95% of all phishing attacks come from just 86 brands
  • LinkedIn is rising like a bullet, up 51%
  • Facebook is dropped a few spots from #3 to #6

In case you didn’t know, you can test whether a site is real or phishing at


Get the full list of the top 25 plus analysis in this article by Zeljka Zorz of Help Net Security, Phishing attacks becoming more targeted, phishers love Microsoft the most.

Industrial Systems Security = BAD


IT pros responsible for industrial systems should revisit security basics because they frequently display the most elemental vulnerabilities.


According to a new Global ICS & IIoT Risk Report, industrial systems are alarmingly insecure. This is attributed largely to legacy systems and protocols that can’t be secured and updated as easily as more modern tech. Some of the biggest vulnerabilities found include:

  • 69% of systems show plaintext passwords on crossing the network (SNMP & FTP)
  • 57% of industrial sites do not update antivirus software automatically
  • Over half are running legacy systems like Windows XP
  • Air gapping is weak; 40% of sites have direct Internet-connected systems

Experts may debate the reasons industrial sites have weaker security than the typical enterprise, but at the end of the day it’s not relevant. When it comes to security in 2018, you need protection not excuses..


Learn more in this Security Week article from Eduard Kovaks, titled Plaintext Passwords Often Put Industrial Systems at Risk: Report.

Fileless Malware Is After Your CPU Cycles!


Fileless malware is one the rise so you should know how to see it if you have it, and how to track it down and kill it.


Fileless malware is commonly used in cryptomining and clickfraud attacks. It is largely impervious to antivirus/antimalware file scans, though may have small files like shortcuts or script files (.bat, .vbs, .ps1) that point to the malware they load.

An oversimplified summary of fileless malware removal:

  • Common symptoms include high CPU usage and errors like “Windows PowerShell has stopped working”
  • Identification is the hard part, and often starts with a “load point”
    • Then may require hunting through scripts and shortcuts to eventually reveal the source
  • Once found, removal can be expedited with tools such as Autoruns and Process Explorer

Removing fileless malware does not usually require esoteric technical skills; however, it can be quite time consuming.


To learn more, read the Security Boulevard article, How to remove fileless malware. It contains lengthy examples of fileless malware removal — with copious screenshots.

Bill Bernat
Director of Product and Content Marketing, Adaptiva

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.