Decrypter for Locky-imitating PowerWare

Zeljka Zorz reports for Help Net Security: Decrypter for Locky-mimicking PowerWare ransomware released – Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware. Josh Grunzweig’s decryptor is a Python script available here.

Zeljka points out ‘They can try following these instructions on Python.com on how to run a Python script on Windows, or ask someone more knowledgeable to help them clean their machine up.’

Added to the relevant resources page here.

David Harley

Jackware: carjacking and ransomware

My friend and colleague Stephen Cobb, for ESET, recently posted an article on Jackware: When connected cars meet ransomware. He says:

I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.

Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”

So speculation, but informed speculation, a hot topic, and well-written (of course).

David Harley

Ransomware: F-Secure looks at the ‘customer’ experience

Useful resources from F-Secure:

Commentary by The Register: Ransomware gang: How can I extort you today? Step 1. Improve customer service. Step 2.???? Step 3 PROFIT!!!

David Harley

Delilah: Ransomware and Recruitment

When Chuck Berry recorded ‘Beautiful Delilah’ back in the 1950s, he wasn’t thinking of anything like the Trojan described by Diskin, according to Gartner’s Avivah Litan, as gathering ‘enough personal information from the victim so that the individual can later be manipulated or extorted.’ By which the company seems to include recruitment of insiders by forcing them to leak data.

The article concludes:

Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web.

Commentary by Darren Pauli for The Register: Extortion trojan watches until crims find you doing something dodgy – And then the extortion starts and you’re asked to steal critical data

David Harley

Pokémon beGOne – malware exploiting a popular craze

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

If it’s encrypting, perhaps it’s ransomware

Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data

A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:

Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted

David Harley

Ranscam: paying up won’t get your files back

Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.

Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:

Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.

The Talos blog: When Paying Out Doesn’t Pay Off.

Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.

David Harley

 

Ransomware and a rumoured Apple ID breach

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

David Harley

ESET Latin America on Ransomware

Here’s an article from my colleague ESET Camilo Gutiérrez Amaya, Head of Awareness & Research for Latin America: Ransomware: First files … now complete devices.

The article is actually adapted from the ransomware  section of ESET’s 2016 trends paper (In)security Everywhere, but worth reading if you haven’t read that somewhat hefty document.

David Harley