Security Essentials or Support Scam?

Microsoft describes a malicious program that masquerades as an installer for Microsoft’s own Security Essentials program. What Hicurdismos actually does is generate a fake Blue Screen of Death (BSoD) including a ‘helpline number’: so yes, it’s essentially a malware-aided tech support scam. It is spread by drive-by-download, and takes a number of steps to make itself look like a serious system issue, such as hiding the mouse cursor and disabling Task Manager.

Security Essentials is still available from Microsoft’s own support site for Windows version 7 and below. Windows 8.x and 10 users should note that it can’t be used on their systems,. However, they don’t need it since the version of Windows Defender that comes with 8.x and 10 has equivalent functionality (unlike the version on earlier Windows versions). However, apart from the pointer to the ‘helpline’, the fake BSoD closely resembles an error message that may be seen in those versions. Would that convince 8.x and 10 users that they also need the fake Essentials? Microsoft seems to think so.

Fortunately, it’s widely detected.

SHA1: e1e78701049a5e883a722a98cdab6198f7bd53a1

SHA256: 7dcbd6a63cb9f56063d2e8c5b17b3870bb2cbaeaafff98ce205d742cce38ba96

VirusTotal report: at 24th October 2016, 42 out of 56 vendors were shown as detecting it.

Commentary from The Register: Microsoft: Watch out millennials for evil Security Essentials

David Harley

Interest rates down, bitcoin stockpiles up

The Guardian and the International Business Times offer a sidebar to the ‘Do/should businesses/organizations pay up?’ discussion, by revealing that financial institutions are amassing bitcoin in case of extortion. However, both articles are focused on DDoS attacks and related extortion demands rather than ransomware. The IBT article doesn’t really go into the question of whether paying up is a Good Thing, except to quote Dr. Simon Moores: ‘”The police will concede that they don’t have the resources available to deal with this because of the significant growth in the number of attacks.” The article in the Guardian (from which the IBT seems to have drawn most of its content) does explore that issue in more depth, but doesn’t discuss ransomware at all.

However, IBT does quote Marcin Kleczynski of Malwarebytes as saying a couple of months ago that he knew of UK banks that have substantial quantities of bitcoin ready to deploy in the event of a ransomware attack. Well, that’s going to discourage the bad guys, isn’t it? 🙁

International Business Times: UK banks allegedly stockpiling Bitcoin to pay off cybercrime extortion threats – Police ‘don’t have the resources’ to combat cyber extortion attempts, expert claims.

David Harley

APWG statistics

According to the Anti-Phishing Working Group’s report for the second quarter of 2016, phishing attacks (as measured by the number of phish sites) reached an all-time high in that period (61% higher than the previous recorded high in 2015 Q4). It also cites PandaLabs as reporting detection of 18 million ransomware programs over that period, amounting to more than 200,000 per day.

Phishing Activity Trends Report 2nd Quarter 2016

David Harley

Decrypters info

An article by Charlie Osborne for ZDnet/Zero Day includes an alphabetical list of ransomware families for which decrypters are available, with links. It’s not, of course, a complete list (either of remediable ransomware or of reputable sources of decrypters) but the sources it does list are indeed reputable. As we’re seeing an increasing number of less reputable sources misusing SEO, blog comments and so on, that’s not a small consideration. Added to the Specific Ransomware Families and Types and Ransomware Recovery and Prevention pages.

Remove ransomware infections from your PC using these free tools – A how-to on finding out what ransomware is squatting in your PC — and how to get rid of it.

Ransomware listed includes: Al-Namrood, Apocalypse, ApocalypseVM, Autolocky, BadBlock, Bart, Bitcryptor, Cerber v.1, Chimera, CoinVault, CrypBoss, CryptoDefense, CryptInfinite, CryptXXX v.1 & 2, CryptXXX v1, 2, 3, 4, 5, DMALocker, DMALocker2, Fabiansomware, FenixLocker, Gomasom, Globe, Harasom, HydraCrypt, Jigsaw, KeyBTC, Lechiffree, Marsjoke | Polyglot, Nemucod, Nemucod, MirCop, Operation Global III, TeslaCrypt, PClock, Petya, Philadelphia, PowerWare, Rakhni & similar, Rannoh, Shade v1 & 2, SNSLocker, Stampado, TeslaCrypt v1, 2, 3, 4, UmbreCrypt, Vandev, Wildfire, Xorist, 777

Backup, PR Pressure and Ransomware

I recently received a spate of emails from a PR person suggesting that I add Lee Munson’s article on The history of ransomware to the AVIEN ransomware resources pages. I nearly ignored it altogether because  I don’t respond well to PR pressure. It’s one of the few things I have in common with career journalists…

Backup: the Why and How

However, the article is a reasonable introductory guide and offers a brief history that includes some (but by no means all) ransomware families and some reasonable advice, so I’m OK with including it, here. That said, while I agree that backups are an essential precaution (and not only because of the risk of a ransomware attack), he misses an essential point. Of course it’s ‘preferable’ to have offsite backups in case of ‘the risks of a fire etc. in your own home’, but many people and organizations nowadays don’t think first in terms of physical media like optical disks and flash storage, but rather in terms of some form of cloud storage. Which are very likely to be offsite, of course.

Offsite versus Offline

However, where such storage is ‘always on’, its contents may be vulnerable to compromise by ransomware in the same way that local storage is, so it’s important that offsite storage:

  • Is not routinely and permanently online
  • Protects backed-up data from automatic and silent modification or overwriting by malware when the remote facility is online
  • Protects earlier generations of backed-up data from compromise so that even if disaster strikes the very latest backups, you can at least retrieve some data, including earlier versions of current data.

Most articles on backup aimed at home users don’t go deeply into backup strategies, especially as utilized by system administrators, and that’s a gap I’m considering trying to fill. (However, Aryeh Goretsky’s article for ESET, Options for backing up your computer, is a good summary for home users, even though it’s several years old.)

Making the Cloud less Nebulous

For the moment it’s worth remembering that backup isn’t a fire-and-forget one-time exercise, but an ongoing task. Furthermore, the last thing you want to do is rely on a single generation of backups on a single site, or using a single provider. Bear in mind also that when cloud providers offer versioning, when backup of a file is triggered when it is modified, it may or may not mean that (one or more) earlier generations of the same file are preserved. It may be more convenient to keep only the latest version of a document, thus saving both space and the potential hassles of version control. But it makes sense to have a generational strategy in place so that you can, if necessary, roll back to a previous version and build on that. It makes even more sense to have read-only versions in reserve, for obvious reasons.

David Harley

Android Screenlockers using pseudorandomized passcode

While I’ve been occupying various workfree zones for the past few weeks, ransomware has evidently not gone away. Older versions of screenlockers often labelled  Android.Lockscreen denied Android users access to their own devices by locking the screen using a hardcoded passcode, which could be found by reverse engineering. However, as Dinesh Venkatesan reports for Symantec:

New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

Symantec’s article: Android.Lockscreen ransomware now using pseudorandom numbers – The latest Android.Lockscreen variants are using new techniques to improve their chances of obtaining ransom money.

Commentary by David Bisson for Tripwire.

David Harley

Ransomware Recovery and Prevention page

I’ve intended for a while to break out some of the scattered information in the ransomware resource page and sub-pages into its own Ransomware Recovery and Prevention page.

And finally got around to it.

Much of the same information (and more) remains in the Ransomware Resources page and/or sub-pages. (Sorry, but I’m happy to duplicate information where appropriate. If I had more time to spend on this page, there’d probably be less duplication, but I haven’t…)

However, the new(-ish) page is better organized and more immediately useful (I hope) for people who are interested in barebones recovery and prevention information.

David Harley