Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage.

Dubbed "Orangeworm," the hacking group has been found installing a wormable trojan on machines hosting software used for controlling high-tech imaging devices, such as X-Ray and MRI machines, as well as machines used to assist patients in completing consent forms.

After getting into the victim's network, attackers install a trojan, dubbed Kwampirs, which opens a backdoor on the compromised computers, allowing attackers to remotely access equipment and steal sensitive data.

While decrypting, the Kwampirs malware inserts a randomly generated string into its main DLL payload in an attempt to evade hash-based detection. The malware also starts a service on the compromised systems to persist and restart after the system reboots.

Kwampirs then collects some basic information about the compromised computers and send it to the attackers to a remote command-and-control server, using which the group determines whether the hacked system is used by a researcher or a high-value target.

Besides health-care providers and pharmaceutical companies that account for nearly 40% of targets, Orangeworm has also launched attacks against other industries including information technology and manufacturing sectors, agriculture, and logistics.

Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 -- which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing -- but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn't include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files. 

SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, "In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization's files in an apparent attempt to capitalize on a victim's willingness to pay a ransom." Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

Secondly, "GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft." Atlanta officials were quick to claim that no personal data was lost in the attack.

Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers -- which sound like the Gold Lowell group -- had previously compromised them. 

The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

There are also indications that Gold Lowell's dwell time could have been extensive and effective. According to WSB-TV, Atlanta officials had been warned months in advance that at least one server was infected with malware, and that in February it contacted a blacklisted IP address associated with known ransomware attacks. Whether the incidents are directly connected will only come out with forensic analysis.

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else's money, makes it reasonable to question the decision.

The employee appears to have stolen data from some of the company's contact lists, the company says. SunTrust is already informing impacted clients and is working with outside experts and coordinating with law enforcement on investigations.

The stolen information includes names, addresses, and phone numbers, along with certain account balances, as this was the data included in the contact lists, the company confirmed.

Personally identifying information such as social security numbers, account numbers, PINs, User IDs, passwords, or driver's license information wasn’t included in the lists.

“We apologize to clients who may have been affected by this. We have heightened our monitoring of accounts and increased other security measures. While we have not identified significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result,” Bill Rogers, SunTrust chairman and CEO, said.

Rogers also underlined that the company is focused on protecting its customers and that it is determined to help all SunTrust clients to combat the increasing concern about identity theft and fraud. SunTrust is now offering Identity Protection for all current and new consumer clients, the company announced.

As if trying to navigate your online privacy wasn’t complicated enough, it turns out the adblocker you installed on your browser may actually be malware.

Andrey Meshkov, the cofounder of ad-blocker AdGuard, recently got curious about the number of knock-off ad blocking extensions available for Google’s popular browser Chrome. These extensions were deliberately styled to look like legitimate, well-known ad blockers, but Meshkov wondered why they existed at all, so he downloaded one and took a look at the code.

Meshkov discovered that the AdRemover extension for Chrome—which had over 10 million users—had code hidden inside an image that was loaded from the remote command server, giving the extension creator the ability to change its functions without updating. This alone is against Google’s policy, and after Meshkov wrote about a few examples on AdGuard’s blog, many of which had millions of downloads, Chrome removed the extensions from the store. I reached out to Google, and a spokesperson confirmed that these extensions had been removed.

Though Meshkov didn’t immediately see what the extension was collecting data for, he said having this link to a remote server is dangerous because it could change your browser behavior in many ways. Meshkov said it could alter the appearance of pages, scrape information from the user, or load additional extensions that a user hasn’t installed.

So what should you do when all the sketchy extensions look just like the real deal? Meshkov recommended looking up the developer website for the extension you want, and they’ll have a link to the store where you can install it. And just be careful about what you install on your browser.

Your Android phone or tablet probably seemed fast when you first bought it. As time goes by, particularly if you upgrade the operating system or add a lot of apps, it may seem to be running slower. There are a few simple steps you can take to improve the speed of your device.

Free Up Space

Your device will run faster if the memory isn't maxed out.

• Evaluate the apps you have on your phone or tablet and remove any of the ones you no longer need or use. This frees up space on the device. To delete an app you downloaded, go to the settings and look for the App Manager. Sometimes it's hidden but just look around for it. Tap any app listed in the App Manager that you want to uninstall to open its info screen. Tap the Uninstall button at the bottom of the screen to remove it.
• Also, disable any apps that came on your mobile device but that you don't use. In most cases, you go to the App Properties to disable an app.
• Look at your photo and music libraries. If you take several photos each time–just to get the best one–you can delete all those extra shots. If you see songs that you thought you'd listen to but haven't, get rid of them.
• Check your Downloads folder. You may find it crammed full of files you no longer need.
• Go to the settings and open the storage page. Look for an "Other" or "Misc" heading. Tap it and you'll probably see a bunch of files that apps downloaded to your phone or tablet. If you're sure you no longer need a file, delete it. If you aren't sure, leave it there.

Go Widget and Animation Free

As with apps, widgets that you don't need should be disabled. The widgets or launcher you use may provide animations and special effect look great, but they can slow down your phone or tablet.

Check in your launcher to see if you can disable these extra effects and gain a little speed.

Close Apps You Aren't Using

Keeping several apps open makes it easy to multitask, but closing open apps improve speed. Just pull up the running apps list which shows which apps are running and how much memory they are using and close the ones you don't need open.

Clear the Cache

Go got the device storage page in settings. Look for a Cached data entry topic and tap on it. You'll have an option to clear out all the cached data. 

Restart the Phone or Tablet

The trusty restart has been a problem-solver since the beginning of the computer age. Put it to use with your phone or tablet occasionally. A restart can clear caches and clean up the system for a new—hopefully faster—start.

Know Which Apps Are Power Hungry

Monitor which apps use the most battery power (usually in Settings > Battery) and be aware of which apps use the most RAM (usually in Settings > Apps or Apps Manager, depending on the device).

Download Apps that Boost Android Performance

Apps that remove duplicate files from your phone or that declutter it help keep the phone in its best operating condition. There are several of these on the market. Among them are:

• Greenify - stops background apps from draining the battery
• File Commander - displays an overview of storage and identifies the categories that are using the most storage: Videos, Music, Pictures or Downloads.
• SD Maid - includes four individual tools—CorpseFinder, System Cleaner, App Cleaner, and Databases—each of which handles a different job. There are also tools for locating and deleting duplicate files.

Turn to The Final Option

If all else fails, and your Android phone or tablet is running unbearably slow, go for a factory reset. Your apps and data disappear (yes, all of them) and the phone returns to its original factory condition. You'll need to redownload the apps you want.

Depending on your phone or tablet, look in settings for "backup" or "restore" or "privacy" to locate the factory reset option. After the reset is complete, your device should be back to running smoothly.