Hello, welcome to the Wednesday, August 31st, 2016 edition of the Sansonet Storms and Stormcast.

My name is Johannes.

Orrache.

And today I'm recording from Jacksonville, Florida.

I've been looking a little bit more at the lucky emails that we see a lot of recently small change here in the way they operate.

Instead of using a JavaScript file or dot.js file, it now uses a Sipped Windows script file or dot WSF.

Well, it's really the same thing.

There's a slightly different header and, course a different extension, but other than

that, the same obfuscation techniques and everything. Sadly, antivirus still does a pretty

lousy job in detecting this downloader. It then goes down and downloads the actual ransomware,

and then that ransomware will register to host once the

infection started. Sort of interesting that the registration part always appears to use an IP address,

not an host name. All of this is pretty detect. So if you're still seeing these emails in your inbox, you probably are doing

something wrong in your mail server configuration. Make sure that you can just categorically

block all Sipped script files. And if you used one login to store secure notes, well, you have

a problem. Apparently, these notes were stored in the clear at one login and one login has now been breached.

Apparently what has been happening here is something that's all too common. They do store these notes encrypted, but apparently their logs still contained notes before they got encrypted,

so those logs then got leaked.

And with that, any notes that users left between June 2nd and August 25th, apparently this covers 12 million customers. There shouldn't really be a good

reason for them to log these notes in clear text, but it's something that I have seen over and over

again with credit card numbers, with passwords, where yes, they're stored encrypted in a database or with credit card numbers.

They're being thrown away after being sent to the processor, but logs still contain that data.

...