An article by me for ESET, sparked off by a conversation with Kevin Townsend, in the wake of research commissioned by Malwarebytes, on the pros and cons of paying to get your data back after a ransomware attack.
ESET Senior Research Fellow
For once, an article about Hitler that doesn’t invoke Godwin’s law…
The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.
I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.
Lengthy description/analysis of an interesting Android ransomware threat from McAfee: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel.
I look forward to hearing commentary from Grumpy Cat. There is, however, no truth in rumours of a German language version known as BlackForestGato.
At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’
It’s not clear right now whether this is another aspect of the story noted by Security Week about Vulnerabilities Exposed Trane Thermostats to Remote Hacking, based on research by Jeff Kitson for Trustwave. But it sounds very similar.
Today’s second look at a link between tech support scams and ransomware is a bit more tenuous. In fact, it deals with a support scammer who was caught unaware by ransomware.
I’m not generally in favour of fighting malice with malice, but quite a few researchers who’ve come across this story have been observed trying to conceal an expression of glee, especially as there is no free decrypter for Locky.
Kwiatkowski tells the full story here: How I got tech support scammers infected with Locky
It’s been a while since I’ve had occasion to talk about the issues that sometimes link tech support scams and ransomware, but now a couple of relevant items have come along more or less simultaneously. First, let’s look at the malware Symantec calls Trojan.Ransomlock.AT.
Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.
Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.
Testing lab SE Labs has been testing anti-malware programs in order to evaluate their effectiveness against ransomware: Anti-malware vs. ransomware: latest reports
There are reports covering products intended for large businesses/enterprises, small-to-medium businesses, and home users/consumers. I haven’t looked at them in detail yet, but I expect them to be up to Simon Edwards’ usual high standards.
[This item also posted to the Anti-Malware Testing blog.]