Archive for the ‘Dubai and regional news’ category

Diwali greetings 19 October 2017 from Synergy Software Systems

October 19th, 2017

Known as Deepavali, a Sanskrit word meaning “rows of lighted lamps”, it is one of the most popular Hindu festivals celebrated across South Asia. But it is also celebrated by Jains and Sikhs.

Diwali, the festival of lights, sees millions attend firework displays, prayers and celebratory events across the world every autumn. The main theme is the triumph of light over darkness and good over evil something to which we can all relate to no matter what our religion.

Diwali falls between October and November, but the exact date changes each year as it is marked by the Hindu lunar calendar. It lasts five days in total, with the festival of lights falling on the third days of celebrations, which is marked on the 15th day of the Hindu month Kartik. This year that falls on 19 October.

The festivities begin with Dhanteras, followed by ‘Narak Chaturdasi’, Deepawali on third day, ‘Diwali Padwa’ on fourth and ends with ‘Bhai Dooj’

May The Beauty Of Deepavali Season
Fill Your Home With Happiness,
And May The Coming Year
Provide You With All
That Bring You Joy!

When You Can Make Someone Else Smile
When You Can Be Someone’s Ally
That’s When You Can Yourself Be Glad
That’s When You’ll Have A Happy Diwali!

Deepawali Ka Ye Paawan Tyohar,
Jeevan Mein Laye Khushiya Aapar,
Laxmi Ji Viraje Aapke Dwar,
Subhkamnayen Hamari Karen Sweekar!!
Wish You And Your Family A Very Happy Diwali

Please note that Synergy offices will close at 5 pm today.

VAT registration U.A.E. – act now deadlines are imminent

October 17th, 2017

The UAE Federal Tax Authority (FTA) online portal is open 24/7 to allow for taxpayers to register for VAT purposes. The FTA has also determined the deadlines for the application for VAT registration based on business turnover.
For larger companies VAT registration is required by 31 October 2017, and such businesses should
immediately consider the timeline requirement given their turnover profile and the other registration
requirements.
Businesses that are required to register for VAT will need to set up an online account on the FTA website and complete the VAT registration form.

The FTA has announced that a phased registration approach has been introduced. In particular, those businesses that meet these criteria must comply with the relevant application dates for registration:
● Businesses with an annual turnover exceeding AED 150 million must apply for registration by
31 October 2017
● Businesses with an annual turnover exceeding AED 10 million must apply for registration by 30 November 2017

● Remaining businesses with an annual turnover exceed the mandatory registration threshold
(expected to be AED 375,000) must apply for registration by 4 December 2017
Prior to the fulfilment of the VAT registration form, the FTA provides a “Getting Started Guide” that shares essential information that businesses should be aware of. This includes information on the registration criteria, registration of a VAT group, and necessity to register if only zero-rated supplies are made.

Additional details clarifying the VAT registration mechanism are found in the VAT registration guide, a document posted on FTA online portal under the “Advice” tab. This document captures the
calculation of turnover for VAT purposes, a walk-through of VAT registration through the FTA
registration portal, registration of a VAT group and types of books and records required to be held by a
taxpayer to ensure accurate tax compliance.

We strongly advise for businesses to visit the FTA website to initiate their VAT registration application by
their applicable deadline after having considered the guidance provided by the FTA and other advice
as required (for instance VAT Grouping).
Businesses should allow time to compile the required information for the VAT registration.

VAT in the U.A.E. – time to act.

October 16th, 2017


VAT, as a general consumption tax, will apply to the majority of transactions in goods and services. A limited number of reliefs may be granted.

As a result, the cost of living is likely to increase slightly, but this will vary depending on an individual’s lifestyle and spending behaviour. If an individual spends mainly on those things which are relieved from VAT, he is unlikely to see any significant increase.

The government will include rules that require businesses to be clear about how much VAT an individual is required to pay for each transaction. Based on this information, individuals can decide whether to buy something.

Implication of VAT on businesses

Businesses will be responsible for carefully documenting their business income, costs and associated VAT charges. Businesses that meet the minimum annual turnover requirement (as evidenced by their financial records) will be required to register for VAT. Businesses that do not think that they should be VAT registered should maintain their financial records in any event, in case the ministry needs to establish whether they should be registered. The FTA does have the power to conduct audits on taxable persons and subsequently impose penal measures on those that are not compliant with the law.

A business must register if the total value of their taxable supplies made within the UAE exceeds the mandatory registration threshold over the previous 12 month period, or they anticipate making taxable supplies with a value exceeding the mandatory registration threshold in the next 30 days.

The mandatory registration threshold is AED 375,000.

A business may also apply to register if they do not meet the mandatory registration criteria and the total value of their taxable supplies or taxable expenditure in the previous 12 months exceeds the voluntary registration threshold, or they anticipate that the total value of their taxable supplies or taxable expenditure will exceed the voluntary registration threshold in the next 30 days.

The voluntary registration threshold is AED 187,500.

For the purposes of understanding whether a registration obligation exists, a taxable supply refers to a supply of goods or services, made by a business in the U.A.E., that may be taxed at a rate of either 5%, or 0%. Imports are also taken into consideration for this purpose, when a supply of such goods or services would be taxable when made within the U.A.E.

VAT registration require some official documents. Before submission of an application some important documents must be completed. Businesses will get VAT registration in the form of a VAT certificate, with the help of official documents. Every VAT certificate will have a specific identification number. The identification number will be essential for all the tasks to be carried out for VAT in UAE.

The process for VAT registration and fee submission will be done online. Following documents are required for the registration of VAT in UAE.
1. Copy of Trade License
2. Passport copy of the owner/partners who owns the license
3. Copy of Emirates ID of the owner/partners who owns the license
4. Memorandum of Association (MOA)
5. Contact Details of company (complete address & P.O Box)
6. Concerned person contact details
7. Email of the concerned person
8. Copy of all bank accounts and statements including IBAN
9. Owner has any other entities?
10. Income statement for the last 12 months
11. Expected revenue and expense for the next 30 days after VAT implementation
12. Are they exporting, or importing?
13. Are they dealing with any custom department? If yes. What is the custom code?
14. Are they doing business with any other G.C.C. country? (Country name)
15. If these are representing more than one entity, whether they want one tax group number for allof the entities, or separate tax numbers for each entity.
16.Experience of business (Owners or directors involved in any previous businesses before for the last 5 years?)

The submission of the documents will be done when you have registered online.
After online VAT registration and fees payments, you will be allowed to submit the documents. After the verification of the documents and completion of the process, a VAT certificate will be provided.

VAT will be charged at 0% in respect of the following main categories of supplies:

Exports of goods and services to outside the GCC States that implement VAT
International transportation, and related supplies
Supplies of certain sea, air and land means of transportation (such as aircrafts and ships)
Certain investment grade precious metals (e.g. gold, silver, of 99% purity)
Newly constructed residential properties, that are supplied for the first time within 3 years of their construction
Supply of certain education services, and supply of relevant goods and services
Supply of certain Healthcare services, and supply of relevant goods and services

The following categories of supplies will be exempt from VAT:

the supply of some financial services
Residential properties
Bare land
Local passenger transport

Registered businesses and traders will charge VAT to all of their customers at the prevailing rate and incur VAT on goods/services that they buy from suppliers. The difference between these sums is reclaimed or paid to the government.

VAT-registered businesses generally:
• must charge VAT on taxable goods or services they supply
• may reclaim any VAT they have paid on business-related goods or services
• keep a range of business records which will allow the government to check that they have got things right.

VAT-registered businesses must report the amount of VAT they have charged and the amount of VAT they have paid to the government on a regular basis. It will be a formal submission and it is likely that the reporting will be done online.

If they have charged more VAT than they have paid, they have to pay the difference to the government. If they have paid more VAT than they have charged, they can reclaim the difference.

Please note there will be a year end rush on consulting services we have already received over 100 inquiries for software consulting support so don’t leave it too late.

Happy 25th anniversary Bayara

October 1st, 2017

Just a short note of congratulations to our customer Bayara celebrating their 25th anniversary (just a year behind our 25th anniversary).

Its always satisfying to see our customers grow using the solutions we implemented and support for them, and proving that the right business systems and partner adds value.

Synergy Software Systems at the Microsoft Manufacturing Masterclass-

September 27th, 2017

A packed house for the Microsoft Manufacturing Masterclass today with stimulating presentations on Digital transformation.

Industry 4.0 : Digitalization of the Manufacturing Sector Masterclass – Meet Synergy Software Systems Manufacturing experts tomorrow H Hotel Dubai

September 26th, 2017

Hear from industry experts, network, meet with us and let us show you Dynamics 365 Finance and Operations Enterprise at this Microsoft Gul sponsored Manufacturing Master Class.

08:00 – 09:00 Registration
09:00 – 09:20 Omar Saleh – Microsoft – Industry Director, Manufacturing MEA
09:20 – 09:50 Gert Thoonen – Business Development Network & Security Services, ME – Rockwell Automation
09:50-10:20 Nicholas Brunet – Middle East Regional Business Leader – 3M
10:20-10:50 Mustafa Farhan – Strategic Transformation Lead, Middle East and Africa, Microsoft
Break
11:00 – 11:30 Suryanka Jatain – Principal – Digital Strategy and Transformation – KPMG
11:30 – 12:00 Assem Khalaili – Executive Vice President, Customer Services – MEA Digital Factory – Process Industries & Drives – Siemens
12:00 – 12:30 Charif Hamidi – Senior Consultant – Strategy – EY

Join us for lunch.
If you have not yet registered then call us now on 00971 43365589 or email Suresh Savari

Dynamics 365 Enterprise Finance and Operations – G.C.C. HR and Payroll from Synergy Software Systems

August 10th, 2017

Our Ax 2012 R3 popular HR and Payroll software was implemented in more than 40 companies.
It is now available in Dynamics 365 Enterprise Finance and Operation, with the first implementation already started.

The product includes comprehensive payroll features as well as automation of many day to day processes for HR and PRO staff.

Extensive Power BI analysis, T@A integration, and mobile approval are additional features

VAT for the U.A.E. some updates – July 2017

July 15th, 2017

Any taxable person must retain VAT invoices issued and received for a minimum of 5 years.

Imports
The place of supply will determine whether a supply is made within the UAE (in which case the UAE VAT law will apply), or outside the UAE for VAT purposes. For a supply of goods, the place of supply should be the location of goods when the supply takes place – with special rules for certain categories of supplies (e.g. water and energy, cross border supplies).

For the supply of services, the place of supply should be where the supplier is established – (with special rules for certain categories of supplies e.g. cross border supplies between businesses).

VAT shall be payable in addition to the custom duties paid by the importer of the goods and cannot be deducted against. VAT shall be computed on the value that includes the customs duties.

Some goods that are imported may be exempt from customs duties but be subject to VAT.

VAT is due on the goods and services purchased from abroad. In case the recipient in the State is a registered person with the Federal Tax Authority for VAT purposes, the VAT would be due on that import using a reverse charge mechanism. In case the recipient in the State is a non-registered person for VAT purposes, VAT would be paid on import of goods from a place outside the GCC. Such VAT will typically be required to be paid before the goods are released to the person.

Exempt and zero rate
- The VAT treatment of real estate will depend on whether it is a commercial or residential property.
Supplies (including sales or leases) of commercial properties will be taxable at the standard VAT rate (i.e 5%).
- Supplies of residential properties will generally be exempt from VAT to ensure that VAT does not constitute an irrecoverable cost to persons who buy their own properties. To ensure that real estate developers can recover VAT on construction of residential properties, the first supply of residential properties within 3 years from their completion will be zero-rated.

There is a difference between exempt goods and zero rate. (for example zero rate might be raised in future).
VAT will be charged at 0% in respect of the following main categories of supplies:
• Exports of goods and services to outside the GCC;
• International transportation, and related supplies;
• Supplies of certain sea, air and land means of transportation (such as aircrafts and ships);
• Certain investment grade precious metals (e.g. gold, silver, of 99% purity);
• Newly constructed residential properties, that are supplied for the first time within 3 years of their construction ;
• Supply of certain education services, and supply of relevant goods and services;
• Supply of certain Healthcare services, and supply of relevant goods and services.

The following categories of supplies will be exempt from VAT:
• The supply of some financial services (clarified in VAT legislation);
• Residential properties;
• Bare land;
• Local passenger transport

Financial Services
It is expected that fee based financial services will be taxed but margin based products are likely to be exempt.
Generally, insurance (vehicle, medical, etc) will be taxable.
Life insurance, we understand will be treated as an exempt financial service

The VAT treatment of standard financial services and Islamic finance products, the treatment of Islamic finance products will be aligned with the treatment of similar standard financial services

Businesses that meet requirements the Legislation (such as being resident in the UAE and being related/associated parties) will be able to register as a VAT group. For some businesses, VAT grouping will be a useful tool to simplify accounting for VAT.

Offsetting VAT.
VAT registered businesses will be able to reduce their output tax liability by the amount of VAT that relates to bad debt which has been written off by the VAT registered business. The legislation will include the conditions and limitations concerning the use of this relief.

A scheme will be introduced to allow a UAE national who is not registered for VAT to reclaim VAT paid on goods and services relating to constructing a new residence which will be privately used by the person and his family. This will allow the recovery of VAT on such expenses as contractor’s services and building materials.

To avoid double taxation (where second hand goods are acquired by a registered person from an unregistered person for the purpose of resale), the VAT-registered person will be able to account for VAT on sales of second hand goods with reference to: the difference between the purchase price of the goods, and the selling price of the goods (that is, the profit margin).

The VAT which must be accounted for by the registered person, will be included in the profit margin. The legislation will include the details of the conditions to be met in order to apply this mechanism.

VAT on expenses
A VAT registered person incurs input tax on its business expenses, and this input tax can be recovered in full when it relates to a taxable supply that was made, or intended to be made, by the registered person. In contrast, where the expense relates to a non-taxable supply (e.g. exempt supplies), then the registered person may not recover the input tax paid.

VAT will not be deductible in respect of expenses incurred for making non-taxable supplies. Furthermore, input tax cannot be deducted when it is incurred in respect of specific expenses such as entertainment expenses e.g. for employee entertainment.

VAT on expenses that were incurred by a business can be deducted in the following circumstances:
• The business must be a taxable person (the end consumer cannot claim any input tax refund).
• VAT should have been charged correctly (i.e. unduly charged VAT is not recoverable).
• The business must hold documentation showing the VAT paid (e.g. valid tax invoice).
• The goods or services acquired are used or intended to be used for making taxable supplies.
• VAT input tax refund can be claimed only on the amount paid or intended to be paid before the expiration of 6 months after the agreed date for the payment of the supply.

In certain situations, an expense may relate to both taxable and non-taxable supplies made by the registered person (such as activities of the banking sector). In these circumstances, the registered person would need to apportion input tax between the taxable and non-taxable (exempt) supplies.

Businesses will be expected to use input tax (ratio of recoverable to total) as a basis for apportionment in the first instance – (there will be the facility to use other methods where those are fair and agreed with the Federal Tax Authority).

Compliance and returns
Penalties will be imposed for non-compliance. Examples of actions and omissions that may give raise to penalties include:
• A person failing to register when required to do so;
• A person failing to submit a tax return or make a payment within the required period;
• A person failing to keep the records required under the issued tax legislation;
• Tax evasion offences where a person performs a deliberate act or omission with the intention of violating the provisions of the issued tax legislation.

No special rules are planned for small or medium sized enterprises. The FTA will provide materials and resources available for these entities to assist them in their enquiries.

A supplier registered or required to be registered for VAT must issue a valid VAT invoice for the supply. To be considered as a valid VAT invoice, the document must follow a specific format as mentioned in the legislation. In certain situations the supplier may be able to issue a simplified VAT invoice.

Government entities
Supplies made by government entities will typically be subject to VAT. This will ensure that government entities are not unfairly advantaged as compared to private businesses. Certain supplies made by government entities will, however, be excluded from the scope of VAT if they are not in competition with the private sector or where the entity is the sole provider of such supplies. It is likely certain government entities will be entitled to VAT refunds – this is designed to avoid budgeting issues and provide a level playing field between outsourced and insourced activities. For the supplies provided for government entities, the treatment of such supplies shall depend on the same supply and not on the recipient of the supply. Therefore, if the supply is subject to the standard tax rate, the treatment would remain the same even if it is provided to a government entity.

Transitional rules
Special rules will be provided to deal with various situations that may arise in respect of supplies that span the introduction of VAT. For example:
• Where a payment is received in respect of a supply of goods before the introduction of VAT, but the goods are actually delivered after the introduction of VAT. This means that VAT will have to be charged on such supplies. Likewise, special rules will apply with regards to supplies of services spanning the introduction of VAT.
• Where a contract is concluded prior to the introduction of VAT in respect of a supply, which is wholly or partly made after the introduction of VAT, and the contract does not contain clauses relating to the VAT treatment of the supply, then consideration for the supply will be treated as inclusive of VAT.

There will, however, be special provisions to allow suppliers to charge VAT in situations where their recipient is able to recover their VAT but where there is no VAT clause.

Payments and claims
Note that VAT will be payable in full not after netting off input tax which will then have to be claimed. This is more of a challenge for cash flow and business risk, especially given the penalties for late payments.
Refunds will be made after the receipt of the application and will be subject to verification checks, with a particular focus to avoid fraud.

The FTA may provide its views on various matters in the law. Taxpayers may choose to challenge these views. However, penalties may be imposed on taxpayers who are found to violate any tax laws and regulations.

Other Emirates
It is expected that businesses will need to complete additional information on their VAT returns to report revenues earned in each Emirate. Guidance will be provided to businesses with regards to this. It is expected that the rules will be relatively straightforward for most businesses and will be based, for example, for B2C transactions, on the location of the transaction (e.g. in a retail environment, the location of the shop).

VAT in Dubai starts 1 Jan 2018 – summary

July 4th, 2017

Date of implementation: January 1, 2018
• VAT rate: 5%
• What are exempted: 100 types of staple food, and other essential service sectors such as healthcare and education
• What are not: Electronics, smart phones, cars, jewellery and watches, eating out and entertainments
• Inflation : Experience in other markets says there will be some impact on both inflation and GDP.
Given the low start rate it will have less impact here.
• While the impact of tax on property transactions will impact those above upper middle income group, there may well be a knock on effect to rents, and its likely that the cost of related financial services will hit everyone.
• VAT will also have an effect on the buying power of tourists who may alos have to pay duty tax again on certain goods in their country of origin

There will be a number of items that will be VAT-exempt. Younis Al Khouri, undersecretary at the Ministry of Finance, has said that GCC states had already agreed to exempt about 94 food products, as well as the healthcare and education sectors. . A new law, however, has yet to be released to specify which items are non-taxable.

Expect electronics, clothes, home furnishings, cars etc shall I expect to cost more once VAT is implemented
If you want to own a brand-new mobile phone that costs Dh2,600, for instance, prepare to pay an extra Dh130. In some cases for white goods, manufacturers may absorb some of the 5 per cent, to keep their products competitive but in other countries VAT has often resulted in prices being rounded up. Also non VTA items tend to look more cost favourable and that often leads to retailers pushing up prices on those goods.

Since the VAT law is not out yet, we don’t known the impact on air tickets. The VAT implementation in other countries, for instance in the UK as well as in Singapore (where VAT is called GST), passenger transport carries VAT at zero percent. Increases will likely hit tourism.

Tourism spending is a major source of revenue for the UAE and goods purchased by visitors will not be exempted at the point of sale. Anyone buying perfumes, make-up, luxury bags and big-ticket items in the UAE can expect to pay an additional 5 per cent of the sale price. The Ministry of Economy, however, assured that the tax rate is “deliberately low so that VAT is a limited burden on all consumers.” It also remains to be seen whether tourists will be given the option to obtain a tax refund at some point, as observed in other countries it appears not because the relative number of tourists to residents is pzrticulzrly high here.

The UAE is not discounting the possibility of collecting other forms of tax. “As per global best practice, the UAE is exploring other tax options as well. However, these are still being analysed and it is unlikely that they will be introduced in the near future. The UAE is not currently considering personal income taxes, however,” said the Ministry of Finance.

Businesses are encouraged to implement the new tax system, initial indications are that there will be swingeing penalties for late or incorrect returns. Those with annual turnover of more than AED375,000 (approximately US$100,000) are mandated to register.

Not all businesses in the UAE will need to go through the tedious process of registering for the value-added tax. The Ministry of Finance issued an announcement that states that businesses with a turnover of AED375,000 are required to register for value-added tax (VAT) which will be implemented in the UAE on 1 January 2018.

The ministry has announced that those with revenue below AED375000 but over AED187500 will have an option to register. Which means that they may if they like, register under VAT. But if they don’t then they do not have to collect VAT from their customers.

This number however, if it is an annual number, appears to be very low and it may bring a lot of small businesses within the scope of VAT. It of course also means a lot of registration fees, with the likelihood of annual renewal. This with multi companies and trade licenses need to be clear how many VAT registrations they need.

Group companies that undertake intercompany trading also need to think about the impact of VAA on such cross company sales and what tax will be payable and reclaimable by each company in what timescales.

Some may prefer to register even if they are exempt because if they don’t, they may not be able to claim back the VAT paid on their purchases.

As announced recently, the registration will be open three months before the go-live date. Companies will have the option to register online. Businesses can probably start registering for VAT from 1st October 2017.

For most businesses, VAT returns should be filed every three months. Filing of returns can also be done online using the government’s eServices.

According to the Ministry of Finance, businesses may need to change their core operations, financial management and book-keeping, technology and human resource mix in order to prepare for VAT. “It is essential that businesses try to understand the implications of VAT now and once the legislation is issued, make every effort to align their business model to government reporting and compliance requirements.”

Businesses are also strongly advised to ensure that in all the commercial contracts they enter into, they include a clause that spells out that the VAT burden can be passed on to the consumer.

“Once the law is out, businesses would first have to figure out whether their products/services are taxable or not and if yes, they would have to ensure that their billing or invoicing process is capable of adding a VAT charge to all taxable products. The easiest way to do this is to alter your IT systems to automatically calculate and add VAT to the invoices,” said Pardasani.

Hiring new staff that will enable businesses prepare for and implement the new tax policy should be done at this point in time. “Companies should have started to think about the additional resources they would need to ensure VAT compliance. Depending on how tedious / frequent the process is, companies would need resources based on the complexity of their operations. But one thing to bear in mind is that VAT is not only a finance issue,” said Pardasani. “It flows through all operational departments of the company. This is because wherever a company acquires products or services, it may pay VAT and it would need to capture all the documentation relating to VAT paid, in order to claim refunds

Corporate Social Reponsibility for the U.A.E.

June 12th, 2017

The Ministry of Economy in Dubai today on Monday said that it will be mandatory for the private sector to declare their Corporate Social Responsibility (CSR) initiatives by the end of 2017. The CSR initiative aims to encourage all companies to play a role in charitable, humanitarian work. Mohammad Ahmad Bin Abdul Aziz Al Shehhi, Undersecretary at the Ministry of Economy, discussed the National Strategy’s 11 initiatives for CSR, which were set to develop a supportive and stimulating environment for companies to invest in social responsibility.

The CSR programme is one of six main themes of the UAE’s National Strategy, which aims to encourage all companies to play a role in charitable and humanitarian work.

Percentage

The ministry will announce a minimum percentage that should be allocated to CSR by all private companies.

Companies will be able to register starting July, and will be required to declare their audited CSR accounts to the ministry and upon licence renewal at the Department of Economic Development.

Auditors will be required to ensure the financial statement for the company verifies their CSR initiatives and CSR spending.

Al Shehhi said that another initiative is the establishment of a National CSR Index, which will rank entities in the country, based on the percentage of their contributions and projects.

The assessment process will take place in April 2018, while the Corporate Social Responsibility (CSR) Annual Report and National CSR index results will be announced on Zayed Humanitarian Day in June 2018.

Year of Giving

Sultan Bin Saeed Al Mansouri, Minister of Economy, said the launch of the annual report represents an important milestone for the ‘Year of Giving,’ as such programmes and initiatives introduce a solid base for the organisational system of charity works in the UAE.

“Cooperation between the Ministry of Economy, Departments of Economic Development and Chambers of Commerce and Industry and other governmental and private bodies is an essential and effective driving force for transforming the ‘Year of Giving’ concepts to practical programmes and initiatives,” he said.

Smart CSR platform

Al Shehhi highlighted the different services of the Smart CSR platform, which will be launched in July to enable all private companies to register, and to view the various fields of CSR initiatives. It will include guides and tools to make CSR contributions along with models displaying the implementation process.

“One of the main targets of the programme is to spread awareness about the values of CSR within the private sector. We are sure many private companies have CSR programmes, however, it is time to launch a joint platform based on concrete projects, and build partnerships between the public and private sector,” said Al Shehhi. He pointed out the ministry anticipates that all companies in the UAE who are currently registered in the economic department will become members of the CSR programme, which has now been set as a minimum requirement in the private sector.

The Dubai Chamber of Commerce and Industry recently hosted its annual Dubai Dialogue conference at its premises which focused on the UAE’s Year of Giving and highlighted the important role that public-private partnerships can play in achieving the objectives of the national initiative.

The event, organised by the Chamber’s Centre for Responsible Business, was attended by 150 delegates, including H.E. Sultan bin Saeed Al Mansoori, Minister of Economy of the UAE, H.E. Mohammed Alshehhi, Undersecretary for Economic Affairs at the UAE Ministry of Economy, and H.E. Hamad Buamim, President and CEO, Dubai Chamber, as well as various stakeholders from the UAE’s public and private sectors.

The National Strategy for the Year of Giving comprises over 1,000 initiatives and programmes which cover six main themes, namely corporate social responsibility (CSR), volunteerism, the developmental role of humanitarian organisations, legislative systems and government policies, media, and serving the nation.

In his keynote speech, H.E. Al Mansoori said: “Organising this year’s conference is particularly important in light of the UAE’s move to declare 2017 as the ‘Year of Giving’. The wise leadership is taking a number of relevant steps to develop an integrated framework aimed at spreading the initiative’s principles and encouraging active participation of the government and private sectors at the institutional and individual levels.”

The UAE’s Minister of Economy noted that the government is keen on building a more systematic CSR methodology by offering incentives and monitoring, and putting key indicators into place that measure the initiatives’ progress and their benefit to society. Dubai Chamber’s President and CEO said that forming a united vision for CSR and sustainability in the UAE is one of the main objectives of the Dubai Dialogue conference as it enables organisations to share knowledge, experiences, and best practices in this field.

“Corporate social responsibility is at the core of the Year of Giving strategy, which comprises many initiatives that will have a direct and significant impact on the UAE’s business community and society at large,” added H.E. Buamim.

The 11 initiatives for CSR include incentives, facilities, and financial privileges. Among the financial privileges is the ‘Responsible Procurement’ initiative, which will be implemented in cooperation with the financial departments of the various emirates. It aims to allocate a percentage of government contracts to outstanding companies in the field of CSR. The ministry will also launch the ‘CSR Label’ and ‘CSR Passport,’ which will be awarded to the five most innovative companies in the field.

Another initiative is the establishment of the ‘coordinating forum for CSR.’ The forum will be organised in cooperation with the UAE Chambers of Commerce and Industry, to provide platforms for regular communication in order to build partnerships between private sector companies and leaders of the humanitarian and charitable sectors.

“The country’s leadership has a vision to establish the position for the UAE to be the most giving of the world,” added Al Shehhi.

11 initiatives within the Corporate Social Responsibility (CSR) programme:

1. The Smart CSR website to be launched

2. CSR annual report to be published

3. National CSR index to rank companies based on CSR spending

4. CSR Label

5. CSR Passport

6. Monetary incentives for outstanding companies in the CSR field

7. Mandatory annual declaration of CSR projects

8. Coordinating forum for CSR

9. Annual announcement for CSR

10. Responsible procurement

11. Work committees for CSR

European Union General Data Protection Regulation (GDPR) – 2018 what should GCC countries consider?

May 30th, 2017

The UAE Ministry of Economy is raising awareness among private sector companies of the need to be ready for new European data protection rules, which comes into force one year from now.

The European Union General Data Protection Regulation (GDPR) is set to become law by May 2018. The new rules govern all companies in Europe, as well as all companies trading with European companies and individuals.

The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States

The law includes strong penalties for either misuse of data, or failure to protect the personal data of customers, with fines of up to 4% of annual turnover, or 20m euros ($22m).

HE Juma Mohammed Al Kait, Assistant Undersecretary for Foreign Trade at the Ministry of Economy, noted that the regulation issued by the EU aims to protect the data of every individual in the EU.

This not only impacts companies operating in European countries, but includes all institutions and companies that conduct business, trade and investment activities within EU countries, including the UAE business sector linked with European trade relations.

Due to this, the Ministry is working on deepening its knowledge about the new legislation, its provisions and requirements, and aims to reconcile its operational procedures with European authorities, in adherence with the framework of the GDPR, before May 2018.

Al Kait emphasized the EU is one of the UAE’s most important trade partners. Trade between the two sides generated $65.8 billion in 2016 alone. The UAE has become one of the top 10 destinations for EU exports, and is home to over 41,000 European companies, in addition to over 121,000 EU citizens.

Penalties will also apply to information controllers and processors, including cloud software companies.

The new legislation also outlines terms of approval for the use of data, to prevent companies from using legally illegitimate terms, and gives both parties the ability to easily withdraw if desired.

The compliance world will change dramatically for a number of GCC organizations on 25 May 2018. In just over one year’s time GCC organizations that:
1.have a branch, subsidiary or single representative in the European Union (“EU”);
2.do not have a physical presence in the EU, but offer goods or services to data subjects in the EU; or
3.neither have a physical presence in the EU nor offer goods or services to people in the EU, but monitor the online behavior of data subjects in the EU, will have to ensure that they are complying with the European Union General Data Protection Regulation (“GDPR”).

Who is likely to be affected?

Based on the test set out in the GDPR, the new regulations will likely apply to a significant number of entities in this region.
Obvious examples include:
– major airlines that fly to and from the EU,
- hotel and tourism operators who promote travel to the region to EU data subjects,
- regional banks and other financial service companies that have branches in the financial centres in the EU and online.

Less obvious examples include:
- e-commerce companies that are able to accept payments in euros and deliver to the EU
- mobile apps that can be downloaded by users in the EU and which have access to a user’s contacts, photos or location data.

All of these businesses may need to comply with the GDPR and to mitigate the risk and cost of failure to do so.
If your organization is affected it has three main options:
1. wait and see i.e. do nothing (not advisable);
2.consider what it needs to do to ensure that it does not fall within the scope of the GDPR;
3. take immediate steps to prepare to comply with the GDPR .

For option (2), if your organization does not have an establishment in the EU and does not need to target or monitor EU data subjects then you ight consider making it very clear that your website or app is not for use by EU users (e.g. including geo-blocking EU data subjects).

for option (3), if you have not started the process of ensuring compliance by now, then there is a lot to do.

1.monitor business to consumer business practices, including:
- conducting a data protection audit,
- examining the legal basis on which it processes personal data and updates its privacy policies;
2.monitor internal business practices, including:
- review and update of agreements with data processors,
- implement processes for adoption of pseudoanonymization and privacy by design
- considering the legal basis on which it transfers personal data between jurisdictions;
3.establish compliant accountability processes, including”
- processes for record keeping,
- appointment of a data protection officer or EU representative and dealing with data subjects;
4.invest in infrastructure, including:
- how to determine the severity, and impact on data subjects of a data breach
- to establish robust security processes and procedures for notifying regulatory authorities and data subjects -

The need for compliance, especially for longer-term projects such as records of processing and compliant contracting, must be addressed as soon as is practicable.

Businesses that either operate, target customers or monitor individuals in the EU should :
• Audit: to identify key remediation areas.
• Record of Processing: This mandatory record will require significant internal resources, but will also help to plan and implement GDPR processes. .
• Consider Contract Renegotiations: The GDPR requires that contracts with data controllers include additional obligations. As companies come to renegotiate contracts, ensure that adequate data protection clauses are added.
• Review and update, where necessary, employee notices to be GDPR compliant. If you currently conduct criminal records checks, then review national laws where you operate to ensure you can continue to do so . There is an emphasis on transparency in the GDPR. Notices must be clear, concise and informative. Employees must be adequately informed of all data processing activities and data transfers and the information set out in Articles 13 to 14 must be provided. Criminal records can no longer be processed unless authorized by member state law.

Consider whether your organization is processing any sensitive personal data and ensure the requirements for
processing such data are satisfied While the grounds for processing are broadly the same as those set out
in the current Data Privacy Directive, the GDPR imposes new requirements to gain valid consent. Consent can be withdrawn at any time and systems must be able to handle withdrawal request.

• Review and update, where necessary, customer notices to be GDPR compliant
• Consider whether your notices have to accommodate “child-friendly requirements”. he GDPR requires parental consent for the processing of data related to information society services offered to a “child” (ranging
from 13 to 16 years old depending on the member state.
• Data privacy rights. The current rights to request access to data or require it to be rectified or deleted have been expanded to include a much broader right to require deletion (“the right to be forgotten”), a right not just to access your data but have it provided to you in a machine readable format (“data portability”). Versions of the existing right to object to any processing undertaken on the basis of legitimate interests or for direct marketing and the right not to be subject to decision based on automated processing are also included and expressly refer a right to object to profiling.
These must be clearly communicated in the notices given to data subjects, e.g. privacy policy
• Privacy by design. Ensure processes are in place to embed privacy by design into projects (e.g. technical and organizational measures are in place to ensure data minimization, purpose limitation and security)

Consider what data you hold in emails, in CRM systems, Social media.
What should be your data access use and retention policies?

Personally I think it will be great if this is a way to prosecute the perpetrators of all the spam nd phishing emails I get or at least to remove data form their lists!

VAT registration nears for the GCC – what should you be doing now – contact Synergy Software Systems

May 29th, 2017

VAT (Value Added TAX), which is also called as ‘tax on consumption’ , is a tax that is payable while purchasing any product. VAT is applied as particular percentage of the cost of goods and services, hence it can not be considered as a charge on companies. It is a general tax amount, which is added by the producer to the inputs before they are sold as new offerings.

All UAE businesses subject to the Value-Added Tax have to submit their tax declaration statements on a quarterly basis after the VAT law goes into effect starting January 2018, according the Ministry of Finance.

The threshold for VAT registration put at Dh375,000 as per the ministry’s announcement this week.
It is optional to register between Dh187,500 and Dh375,000 .

UAE businesses will be able to start VAT registration in Q3 2017 and it is compulsory to be registered by Q4 2017.

Businesses will be able to register online using eServices.

The UAE businesses, subject to the tax, have to keep all files that allow competent authorities to audit their transactions and commercial activities, with the nature of the needed documents to be announced over the coming period. Businesses will be required to keep records which will enable the authorities to identify the details of the business activities and to review transactions. The specifics regarding the documents which will be required and the time period for keeping those will be communicated in due course.

Review your finance systems’ readiness for rapid implementation to meet these requirements. There will be a shortage of skilled consultants, and there are several holidays (EID, Diwali, Christmas, New Year, National Day etc. its also budget time, and preparation for year end audits,to fit in during the last quarter. Allow time for collection of your trading partners VAT registration ids, for report development and update, for testing and for staff training.

All six of the GCC member states: Saudi Arabia, Qatar, Oman, Kuwait, the UAE and Bahrain – have now signed and approved the VAT framework.

Registered businesses will be expected to submit VAT returns on a regular basis. It is expected that the default period for filing VAT returns will be three months for the majority of businesses. Registered businesses will be able to file their returns online using eServices.

Exemptions:
We understand that:
Health, education services, international transportation, import gold for investment purposes, commodities and exports are exempted from VAT in UAE.
Residential buildings for sale or lease during the first three years in which the building is completed, some financial services and empty plots of land are also exempted from VAT.

The GCC Member States will appreciate the VAT on financial provisions. The Banks and Financial House are ineligible for VAT in terms of the services provided, instead, they might be eligible for input tax based on tax recovery rates determined by each Member State.

The Federal Tax Authority has also announced a 100 per cent tax on tobacco, energy drinks and 50 per cent on carbonated beverages. This is separate from VAT.

The General Authority for Zakat and Income Tax (GAZT) in KSA reportedly warned businesses, during an awareness session that took place at the Riyadh Chamber of Commerce on Monday 16 May 2017, that penalties will be applicable in the cases of violation of VAT laws and regulations.

Penalties

The following types of Penalties will apply in each of the following cases:
• Case 1: Businesses required to register for VAT and that fail to register shall be liable to double the net tax due.
• Case 2: Committing an error in filling the tax return shall result in paying an additional 50% of net tax declared.

• Case 3: Exaggerated tax refund claims shall be subject to a penalty 50% of the original amount reported.
• Case 4: Late filing of tax return would result in a penalty of SAR 1,000 and an extra 5 to 20% of the unpaid tax. The percentage varies depending on the number of days of delay.
• Case 5: Non-registered person who issue an invoice with VAT shall pay SAR 1,000 or double the amount of the net tax (whichever is higher).
• Case 6: Not keeping records of the required documents shall result on a penalty of SAR 1,000 or 2% of the monthly average taxable supplies (whichever is higher).
• Case 7: Non-compliance with GAZT inquiries in providing relevant information shall result in a penalty of SRA 1,000 or 2% of the average monthly taxable supplies (SAR 20,000 maximum) or whichever is higher.

Ramadan 2017 starts soon – Ramadan Kareem to all of our readers -Synergy Software Systems

May 25th, 2017

The holy month of Ramadan is expected to start this weekend. “The Saudi Supreme Court has already called on all Muslims throughout the Kingdom of Saudi Arabia to sight the crescent of the Holy Month of Ramadan on Thursday, May 25- it is expected that Ramadan will officially start on either Friday or Saturday.

During this period of fasting and spiritual reflection there will be several changes to our office routine:
Those working at site will work client hours
Our offices will be closed on Fridays and Saturdays until end of Ramadan.
From Sunday to Thursday our work hours will be 9 am-5pm

\Visitors will be provided with water in the conference room at their request, but will otherwise generally not be offered refreshment.

Some Guidance for those new to the region.
It is very easy to forget in hot weather that there are cultural norms and that authorities and others will be offended if these are not followed. It is a difficult enough time in this climate for those who fast, so please show due respect. You may well be stopped by the police for e.g. drinking a bottle of water in your parked car, or you may offend others by eating sweets, or your own food.

This is a very difficult time due to the hot, humid weather, which is expected to get a lot hotter, and we encourage you all to take adequate drinks of water at the appropriate times.

Dress code: Dubai has fairly relaxed standards that it is a tourist destination, but please be extra aware of the need to behave and dress with modesty and decorum and respect in this period.

Public shops and restaurants. Opening hours may be amended because those too will have shorter working hours – so plan ahead. In most cases shops will open after Iftar and will stay open much later than usual.

Alcohol sales, and public entertainment, music etc. will be stopped.

Some restaurants and shops may serve takeaway food during daylight hours, but will not be open for sit down meals.Some hotels may have segregated screened areas where food can be obtained.

Clinics, doctors, pharmacies etc. may also have reduced working hours.

Travel
Paid parking zones in Dubai,
The tariff will apply to all car parks (Zone: A, B, C, D, and G) from Saturday to Thursday at two periods:
from 08:00 am to 05:00 pm,
and from 07:00 pm to 12:00 (midnight).
The tariff will apply to the parking of the:
Dubai Silicon Oasis (Zone H), Saturday to Thursday, from 08:00 am to 10:00 pm,
Tecom (Zone F), Saturday to Thursday, from 08:00 am to 06:00 pm,
Fish Market (Zone E) from 08:00 am to 11:00 pm daily from Saturday to Friday,

Bus services
Public bus main stations, like Gold Souq Station, will open from 04:25 am to 12:00 (midnight)
Al Ghubaiba Station from 04:30 am to 12:00 (midnight).
Subsidiary stations, like Al Satwa, will operate from 04:57 am to 11:35 pm, and Route C01 will operate around-the-clock at Satwa.
Al Qusais Station will open 04:30 am to 12:00 (midnight),
Al Quoz Industrial Station will operate from 05:00 am to 11:30 pm,
Jebel Ali Station will be offering service from 05:00 am to 12:00 (midnight).

Stations of Metro Link buses, such as Al Rashidiya, Mall of the Emirate, Ibn Battuta, Burj Khalifa-Dubai Mall, Abu Hail and Etisalat, will open from 05:00 am to 12:20 am (past midnight).
The timing of all Metro Link buses will match the timing of the metro service.

Inter-city bus stations will operate in Ramadan as follows:
Main stations like Al Ghubaiba will operate around-the-clock to Sharjah (Jubail), and from 4:30 AM to 12:00 midnight to Abu Dhabi.
• Subsidiary stations, like Union Square, will operate from 04:35 am to 01:25 am (of the following day).
• Al Sabkha Station will open from 06:15 am to 01:30 am (of the following day).
• Deira City Centre Station will open from 05:35 am to 11:30 pm,
• Karama Station will open from 06:10 am to 10:20 pm,
• Al Ahli Club Station will open from 05:55 am to 10:15 pm .
• External stations, like Sharjah Al Taawon, will operate from 05:30 am to 10:00 pm,
• Fujairah Station will open from 05:15 am to 09:30 pm,
• Hatta Station from 05:30 am to 09:30 pm, and Ajman Station from 04:27 am to 11:00 pm.

Metro services
Dubai Metro services, the Red Line stations will run service in Ramadan from Saturday to Wednesday from 05:30 am to 12:00 (midnight).
On Thursday, stations will open from 05:30 am to 01:00 am (of the following day)
On Friday from 10:00 am to 01:00 am (of the following day).
There will be no change in the timing of the Express Metro service during Ramadan.
The Green Line stations will operate in Ramadan from Saturday to Wednesday from 05:50 am to 12:00 (midnight).
On Thursday, stations will operate from 05:50 am to 01:00 am (of the following day)
On Friday from 10:00 am to 01:00 am (of the following day).

Dubai Tram
The Dubai Tram will operate from Saturday to Thursday from 06:30 am to 01:00 am, and on Friday from 09:00 am to 01:00 am (of the following day).

Marine transport
The schedules of marine transit services during Ramadan :
The Water Bus will shuttle in marina stations (Marina Mall, Marina Walk, Marina Terrace, Marina Promenade) from 12:00 at noon up to 12:00 midnight.
The Water Taxi will operate from 09:00 am until 10 pm.
Dubai Ferry will be calling at Ghubaiba Station at 11:00 am and 06:30 pm.
The Ferry will operate from Marina at 11:00 am, 05:00 pm and 06:30 pm.
From Al Jaddaf Station to Dubai Water Canal Station, the Ferry will be running service at 10:00 am and 05:30 pm
From Dubai Water Canal Station to Al Jaddaf Station at 12:05 at noon and 07:35 pm.

The timing of Abra during Ramadan will be as follows:
Traditional Abra will operating at (Ghubaiba, Baniyas, and Dubai Old Souq), from 10:00 am until 12:00 (midnight).
At Al Jaddaf Station, Dubai Festival City, it will operate from 07:00 am to 12:00 (midnight).
At the Sheikh Zayed Road Station (Dubai Water Canal), it will operate from 08:00 pm to 02:00 am (of the following day).
The Electric Abra will be operating at Burj Khalifa/Dubai Mall from 08:00 pm until 11:30 pm,
At Al Mamzar from 08:00 pm to 02:00 am (of the following day).

Testing centres
Technical testing centres run by suppliers will offer services in respect of light vehicles during Ramadan in the morning only without prior appointment. Technical testing services of heavy vehicles will be offered in the morning and evening.

The business hours of strategic partners’ centers will be as follows:
Tasjeel Enoc (Al Qusais, Al Awir, Al Barsha, Al Tawar and Warsan) from Saturday to Thursday will be open in two shifts. In the morning from 08:00 am to 04:00 pm and in the evening from 09:00 pm to 02:00 am (of the following day).
Hatta Center will open from 09:00 am to 03:00 pm,
Jebel Ali Centre will open from 08:00 am to 04:00 pm.

Emarat, Shamil, Al-Adid, Wasl, Al-Muhaisna, Nad Al Hamar, Al Jaddaf and Al Arabi Centers will open from Saturday to Thursday on two shifts. In the morning from 09:00 am to 04:00 pm and in the evening from 09:00 pm to 02:00 am (of the following day).

Quick Registration Centre will also open in two shifts:
In the morning from 09:00 am to 05:00 pm and in the evening from 09:00 pm to 03:00 am (of the following day).
PAL Garage will open from 09:00 am to 04:00 pm,
Al Shirawi Enterprises Centre will open from 09:00 am to 05:00 pm.
Al Mumayaz Centre will open from Saturday to Thursday (at Al Mizhar Markets and Al Barsha Mall) on two shifts.
In the morning, it will open from 09:00 am to 04:00 pm and in the evening from 09:00 pm to 01:00 am (of the following day).
Tamam Speedfit & Cars Centers will open from Saturday to Thursday on two shifts.
In the morning, they will open from 09:00 am to 04:00 pm and in the evening from 09:00 pm to 02:00 am (of the following day).

Centres that will open on Friday during Ramadan are: Tasjeel Enoc (Al Qusais and Al Barsha) from 09:00 pm to 02:00 am (of the following day); they will offer VIP Service for processing transactions only.
Wasil-Al Arabi Centre will open on Friday from 09:00 pm to 02:00 am (of the following day),
Quick Registration Centre will open from 09:00 pm to 03:00 am (of the following day).

Health.
Those who are fasting from early morning need to be aware of the risk of fatigue or feinting especially if driving long distances and should adjust their meal times and sleeping hours.

With an earlier finish we may all get a lot more exposure to sunlight. Take care to avoid overexposure. We are close to the equator and the sun’s radiation is much stronger here than is generally realized even on a cloudy day. Protect your eyes with sunglasses, if you are fair skinned then also consider sun cream, or long sleeves or a parasol and/or a hat. The locals cover themselves from head to foot for good reason. Long distance driving e.g. to Abu Dhabi also creates risk of overexposure.

Service centres
Customers’ happiness centres will be operating from Sunday to Thursday at different times.
Umm Al Romool, Al Barsha, Deira and Al Kafaf Centers will open from 09:00 am to 02:00 pm.
Al Tawar, Al Manara, and Al Awir Centers will operate from 09:00 am to 05:00 pm.

Some general Ramadan Do’s and Don’ts
DO… make the most of the community spirit. Say ‘Ramadan Kareem’ to friends and colleagues, introduce yourself to those neighbours to whom ‘you’ve always meant to say ‘hi , organise an after-work iftar, and catch up with friends and family.
DO… understand that many locals become a night owl. Everything happens later during Ramadan. Malls are open past midnight and suhoors go into the early hours.
email responses may take longer, and it may take a little more planning to process visas, or just about any other government business transaction if their working hours are reduced
DO… your bit for a good cause. Ramadan is a good time to put your money where your mouth is. The UAE has a wide range of charitable and volunteering organisations.
DON’T… forget the ‘rules.
If you’re not a Muslim, then they still apply – you’re still expected to be respectful.
It’s frowned upon to dress inappropriately, eat, drink or smoke during daylight, play loud music or swear in public. At the very least these things are frowned upon and will cause discomfort to others, and at worst you may find yourself in trouble with the police or fined.
DON’T… lose your patience. Working hours are likely to be shorter (and perhaps a little less productive), those who are fasting tend to be tired, and the UAE’s roads will be more hectic at times.

سائلين الله عـز وجـل أن يرزقكـم فيه مغـفـره ورحمه وعتق من النار.
We ask ALLAH Almighty to bless you with forgiveness and mercy and freedom from fire

May all your prayers be answered.

Deal with WannaCrypt ransomware

May 15th, 2017

To get the latest protection from Microsoft, upgrade to Windows 10.
Keep your computers up-to-date to get the benefits of the latest features and proactive mitigations built into the latest versions of Windows.

Microsoft Malware Detection and Removal Tools

Use the following free Microsoft tools to detect and remove this threat:

• Windows Defender – built-in to Windows 10. There’s nothing to buy and nothing to install. No configuration, no subscriptions, and no nagware
• Microsoft Safety Scanner: https://www.microsoft.com/security/scanner/en-us/default.aspx?wt.mc_id=AID618806_EML_5062822

(The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software. Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.The Microsoft Safety Scanner is not a replacement for using an antivirus software program that provides ongoing protection.)

Also view :
• Microsoft Security Response Center Blog
• Microsoft Malware Protection Center Blog
• Microsoft Safety and Security Center webpage

We recommend customers that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, we recommend two possible workarounds to reduce the attack surface:
• Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 (Reboot Required)
• Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445

Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update.

Enable Windows Defender Antivirus to detect this ransomware.
Windows Defender Antivirus uses cloud-based protection, to help protect you from the latest threats.

Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.

Monitor your network with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities.

For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.

A ransomware threat does not normally spread so rapidly. Threats like WannaCrypt typically leverage social engineering or emails as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators incorporated publicly-available exploit code for the patched SMB EternalBlue vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server.
It was fixed in security bulletin MS17-010, released on March 14, 2017.

WannaCrypt’s spreading mechanism is borrowed from well-known public SMB exploits, which armed this regular ransomware with worm-like functionalities, creating an entry vector in machines still unpatched even after the fix had become available.

The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.

We haven’t found the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly likely for this ransomware family:
• Arrival through social engineering emails designed to trick users to run the malware and to activate the worm-spreading functionality with the SMB exploit
• Infection through SMB exploit when an unpatched computer can be addressed in other infected machines

The threat arrives as a dropper Trojan that has the following two components:

• Ccomponent that tries to exploit the SMB EternalBlue vulnerability in other computers
• Ransomware known as WannaCrypt

The dropper tries to connect the following domain using the API InternetOpenUrlA():
hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

When connection is successful, the threat does not infect the system further with ransomware, nor try to exploit other systems to spread; it simply stops execution. However, when the connection fails, the dropper proceeds to drop the ransomware and creates a service on the system.

Blocking the domain with firewall either at ISP or enterprise network level will just cause the ransomware to continue spreading and encrypting files.

The threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:

Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”

When run, WannaCrypt creates the following registry keys:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ = “\tasksche.exe”
• HKLM\SOFTWARE\WanaCrypt0r\\wd = “

It changes the wallpaper to a ransom message by modifying the following registry key:
• HKCU\Control Panel\Desktop\Wallpaper: “\@WanaDecryptor@.bmp”

It creates the following files in the malware’s working directory:

• 00000000.eky • 00000000.pky
• 00000000.res

• 274901494632976.bat
• @Please_Read_Me@.txt
• @WanaDecryptor@.bmp
• @WanaDecryptor@.exe
• b.wnry
• c.wnry
• f.wnry
• m.vbs
• msg\m_bulgarian.wnry
• msg\m_chinese (simplified).wnry
• msg\m_chinese (traditional).wnry
• msg\m_croatian.wnry
• msg\m_czech.wnry
• msg\m_danish.wnry
• msg\m_dutch.wnry
• msg\m_english.wnry
• msg\m_filipino.wnry
• msg\m_finnish.wnry
• msg\m_french.wnry
• msg\m_german.wnry
• msg\m_greek.wnry
• msg\m_indonesian.wnry
• msg\m_italian.wnry
• msg\m_japanese.wnry
• msg\m_korean.wnry
• msg\m_latvian.wnry
• msg\m_norwegian.wnry
• msg\m_polish.wnry
• msg\m_portuguese.wnry
• msg\m_romanian.wnry
• msg\m_russian.wnry
• msg\m_slovak.wnry
• msg\m_spanish.wnry
• msg\m_swedish.wnry
• msg\m_turkish.wnry
• msg\m_vietnamese.wnry
• r.wnry
• s.wnry
• t.wnry
• TaskData\Tor\libeay32.dll
• TaskData\Tor\libevent-2-0-5.dll
• TaskData\Tor\libevent_core-2-0-5.dll
• TaskData\Tor\libevent_extra-2-0-5.dll
• TaskData\Tor\libgcc_s_sjlj-1.dll
• TaskData\Tor\libssp-0.dll
• TaskData\Tor\ssleay32.dll
• TaskData\Tor\taskhsvc.exe
• TaskData\Tor\tor.exe
• TaskData\Tor\zlib1.dll
• taskdl.exe
• taskse.exe
• u.wnry

WannaCrypt may also create the following files:

• %SystemRoot%\tasksche.exe
• %SystemDrive%\intel\\tasksche.exe
• %ProgramData%\\tasksche.exe

It may create a randomly named service that has the following associated ImagePath: “cmd.exe /c “\tasksche.exe”"

Then it searches the whole computer for any file with any of the following file name extensions:
.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw

WannaCrypt encrypts all files it finds and renames them by appending “.WNCRY” to the file name. For example, if a file is named “picture.jpg”, the ransomware encrypts and renames to “picture.jpg.WNCRY”.

This ransomware also creates the file “@Please_Read_Me@.txt” in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image. After completing the encryption process, the malware deletes the volume shadow copies by running the following command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

It then replaces the desktop background image with a message and also runs an executable showing a ransom note which indicates a $300 ransom and a timer. The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files. The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infects other vulnerable computers. This activity results in large SMB traffic from the infected host, which normally can be observed by SecOps personnel.

Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers. When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode which seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

Ransomware strikes again

May 13th, 2017

Ransomware increased 35% last year.
More alarming is the continuing recent rise in both sophistication and the mass distribution of ransomware.

Ransomware can bring your business to a halt and cause significant financial damage.
Unlike the stealthier advanced attacks that can stay undetected on corporate network for months, the impact of ransomware is immediate and intrusive.

Cyber attackers don’t need a lot of money, resources or technical sophistication to use ransomware.

Todays headlines:
Hospitals across the country hit badly by attack
Nearly 100 countries affected
Fears of chaos over weekend
Cyber attack hits German train stations as hackers target Deutsche Bahn

Russian-linked cyber gang Shadow Brokers was blamed. It is claimed the group, which has links to Russia, stole US National Security Agency cyber tools designed to access Microsoft Windows systems, then dumped the technology on a publicly-accessible website where online criminals could access it – possibly in retaliation for America’s attack on Syria. The exploit was leaked last month as part of a trove of NSA spy tools. The ransomware locks down all the files on an infected computer and asks the computer’s administrator to pay in order to regain control of them. The ransomware, called “WannaCry,” spreads by taking advantage of a Windows vulnerability for which Microsoft (MSFT, Tech30) released a security patch for in March. .
Affected machines have six hours to pay up and every few hours the ransom goes up

The global cyber attack crippled services on Friday (yesterday) The U.K. health service faces a weekend of chaos after hackers demanding a ransom infiltrated the health service’s antiquated computer system. Operations and appointments were cancelled and ambulances diverted as up to 40 hospital trusts became infected by a “ransomware” attack demanding payment to regain access to vital medical records.
Doctors warned that the infiltration – the largest cyber attack in NHS history – could cost lives.

Medics described how computer screens were “wiped out one by one” by the attack, spread to companies and institutions worldwide, including international shipper FedEx Corp in the US, and Germany’s rail operator. Spain’s largest telecom operator, Telefónica., was also affected. Spanish authorities confirmed the ransomware is spreading through the vulnerability, called “EternalBlue,” and advised people to patch.

Helsinki based Security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets. Megafon, a Russian telecommunications company, was hit by the attack

The ransomware is automatically scanning for computers it can infect, whenever it loads itself onto a new machine. It can infect other computers on the same wireless network. It has a ‘hunter’ module, which seeks out PCs on internal networks, so, if your laptop is infected and you go to a coffee shop, then it will spread to PCs at the coffee shop and from there, to other companies.

The sad part of the NHS tale is that Microsoft provided free software to protect computers in March, which raises questions about why the NHS was still vulnerable. it seems that many trusts were using obsolete systems, while others failed to apply recent security updates. Indeed This there are estimates that 90 per cent of NHS trusts in the UK are still using Windows XP – a now unsupported, 16-year-old operating system., introduced before 2007 which is particularly vulnerable,

Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB). Only servers that weren’t updated after March 14 with the MS17-010 patch were affected; this patch resolved an exploit known as ExternalBlue, once a closely guarded secret of the National Security Agent, which was leaked last month by ShadowBrokers, a hacker group that first revealed itself last summer. The ransomware, aptly named WannaCry, did not spread because of people clicking on bad links. The only way to prevent this attack was to have already installed the update.

Through the ExternalBlue exploit, the malware installed an NSA backdoor payload called DoublePulsar, and through it went WannaCry, which then spread rapidly and automatically to other computers on the same network.“Whereas ransomware such as Locky normally requires user interaction, such as opening a word document, WannaCry has the capability to spread automatically. Thankfully a weakness in the method of propagation has allowed researchers to take control of a piece of attacker infrastructure and limit new infections— otherwise it could have been even worse.

Microsoft said yesterday that it is pushing out automatic Windows updates to defend clients from WannaCry.

What is ransomware
?Malicious software that locks a device, such as a computer, tablet or smartphone and then demands a ransom to unlock it

Where did ransomware originate?
The first documented case appeared in 2005 in the United States, but quickly spread around the world

How does it affect a computer?

The software is normally contained within an attachment to an email that masquerades as something innocent. Once opened it encrypts the hard drive, making it impossible to access or retrieve anything stored on there – such as photographs, documents or music

How can you protect yourself?
Anti-virus software can protect your machine, although cybercriminals are constantly working on new ways to override such protection

How much are victims expected to pay?
The ransom demanded varies. Victims of a 2014 attack in the UK were charged £500. However, there’s no guarantee that paying will get your data back.
If you think you might be vulnerable to WannaCry, or you don’t remember installing any updates over the past month, then your first step is to address that issue immediately.

This is the most critical Windows patch since [Conficker], which was one the largest similar infections to date.
Despite having been patch nearly a decade ago, the Conficker worm is still in circulation which you find everywhere. WannaCry, too, is going to be on networks for years.

The importance of downloading and installing security updates (as opposed to just clicking “remind me tomorrow” for several weeks in a row) cannot be overstated.

Just ask the patients of the 16 hospitals in England whose delay in care could have been easily avoided