Flash Player exploit -> Angler -> CryptXXX

John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.

I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.

Worth looking out for (the article and the malware).

[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:

The ads are typically clean of any malware for anyone trying to manually verify them. The JavaScript code looks benign no matter how many times you refresh the page or rotate IP address. This is because the rogue version of the JavaScript is served conditionally, with the proper referer, user-agent, sometimes even your screen resolution, and several other parameters.

Very interesting.]

David Harley

 

CryptXXX 3.0: gang breaks own decryptor

On May 24th 2016, the CryptXXX situation took a turn for the worse. Lawrence Abrams reported for Bleeping Computer that CryptXXX version 3.0 not only prevented Kaspersky’s RannohDecryptor from enabling victims to decrypt their files for free, but also had the (presumably unintended) effect of breaking the criminals’ own decryption key. In other words, even paying the ransom doesn’t, at the time of writing, guarantee that you’ll get a working decryptor. When a ransomware gang screws up, it doesn’t always work to the benefit of the victim.

Bleeping Computer has some resources specific to CryptXXX: CryptXXX Support & Help Topic; the CryptXXX Ransomware Help, Information Guide, and FAQ.

David Harley

Fake Support, Real Screen Locker Malware

Here’s another instance where ransomware and tech support scams overlap. Jérôme Segura, for Malwarebytes, describes how scammers have moved on from ‘bogus browser locks and fake AV alerts‘ to real screen lockers. In particular, he describes an example of malware shared by @TheWack0lian that passes itself off as a Windows update. However, during the ‘update’ it effectively locks the computer, ostensibly due to an ‘invalid licence key’, forcing the victim to call a ‘support line’.

The article – Tech Support Scammers Get Serious With Screen Lockers – includes a keyboard combination that might disable the locker, and some hardcoded ‘key’ values that might also work. However, it’s likely that there are already variants out there that use different ‘keys’, and if there aren’t, there almost certainly will be.

Commentary by David Bisson for Graham Cluley’s blog is also worth reading: New tech support scams mimic ransomware, lock users’ computers –Beware if you’re asked to pay $250 for a product key to unlock your PC.

David Harley

TeslaCrypt Says Sorry, Provides Decryption Key

Posted by me to the ITSecurity UK site: TeslaCrypt: We’re Sorry, Here’s the Decryption Key. Since they (or other operators) seem to have moved on to CryptXXX, I’m not sure how seriously we should take that apology.  ESET and BloodDolly have released decryptors: Instructions for the ESET tool are here, and for BloodDolly’s tool at Bleeping Computer here.

David Harley

Tech Kangaroos: wish they’d hop it?

Malwarebytes describes getting the jump on a group apparently responsible for impersonating legitimate security companies. Well, that sort of impersonation is pretty standard for tech support scammers, but in this case Malwarebytes is talking about ‘a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number.’

And not only Malwarebytes. The article includes some screenshots of fake sites impersonating Microsoft, AVG, Kaspersky, ESET and so on.

Here’s the Malwarebytes article: The hunt for tech support scammers. Commentary by SC Magazine: Scammers impersonate legit cyber-security companies

Added to tech support resources page.

David Harley

Ransomware update

(1)

I haven’t checked out Troy Hunt’s Introduction to Ransomware video for Varonis yet myself. If I can find time to, I’ll report back here. But I’d be surprised if it turned out to be useless. 🙂 It is apparently free, and you can watch three of the eight lessons before deciding whether to register.

(2)

For Help Net Security, Zeljka Zorz reports that CryptoXXX version 2.0 bypasses Kaspersky’s decryption tool and locks the screen after it pops up its ransom message, .

  • Commentary from Proofpoint
  • Commentary from David Bisson for Graham Cluley’s blog, pointing out that the victim is forced to use a different system even if they decide to pay the ransom.

Nick Bilogorskiy for Cyphort describes how celebrity gossip site PerezHilton has been targeted by malvertising and used to deliver CryptoXXX and other malware via Angler and another exploit kit: Malvertising on Pace for a Record-Breaking Year. Commentary by Darren Pauli for The Register: Prince of pop trash PerezHilton pwned, visitors hit with cryptxxx – Some of Hollywood hack’s 500k visitors smashed with Angler, ransomware combo. And by David Bisson for Graham Cluley’s blog: Perez Hilton website visitors hit by two malvertising attacks in same weekNo wonder adblockers are on the rise…

(3)

Unit 42’s document Unlocking the lucrative criminal business model is a reasonable overview of the ransomware issue generally. Palo Alto’s Ryan Olson announced it here: Ransomware Is Not a “Malware Problem” – It’s a Criminal Business Model. OK, but actually most malware nowadays conforms to a business model…

(4)

Ransomware is not a static landscape, as item (2) above indicates. One of the reasons I have tried not to oversell the Specific Ransomware Families and Types is that I can’t guarantee that it’s up to date at all times, even on the limited range of ransomware it covers. In the same way, the information in the Google spreadsheet here may also become outdated, but it does seem to have a number of potential contributors to help maintain it. On the other hand, that might actually mean that it remains partial because it favours the resources with which the contributors are associated, and while I’ve seen it suggested that it covers all ransomware, that’s just wishful thinking.

Nonetheless, it could certainly be useful as a starting point when looking for information, but I’d suggest that you don’t assume that it is authoritative.

(5)

Information from Bleeping Computer on Enigma (the ransomware, not the WW2 machine): The Enigma Ransomware targets Russian Speaking Users. While it appears to try to delete Shadow Volume Copies, it seems it doesn’t always succeed: if this is the case for you, this may help.

David Harley

Ransomware Updates (2)

(1) Action Fraud article about DDoS extortion threats by a hacking group: Online extortion demands affecting businesses. Commentary by SC Magazine: Action Fraud warns of new wave of Lizard Squad DDoS attacks

(2) Catalin Cimpanu for Softpedia: Decrypter for Alpha Ransomware Lets Victims Recover Files for Free.

(3) CryptoMix: ransomware that makes the ludicrous claim that the 5 bitcoin ransom will be paid to a children’s charity. Related to CryptoWall 4.0 and CryptXXX: no free decrypter currently available.

David Harley

Ransomware updates (1)

I can’t say that the ransomware landscape hasn’t been busy for the past week or two, but so have I, on entirely different issues. I have been adding links etc. to resources pages, and they’re not all referenced here, but here’s an update on some stuff I’ve added today.

(1) Cylance’s analysis of AlphaLocker. (HT to Artem Baranov for drawing my attention to it.) Useful stuff, despite the customary AV-knocking.

(2) Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14%. Points made in the article include these:

  • The (sub)title refers to 2,896 modifications made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • According to Kaspersky, the ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Kaspersky also reports that mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

(3) Graham Cluley, for ESET, quotes the FBI: No, you shouldn’t pay ransomware extortionists. Encouragingly, the agency seems to have modified its previous stance in its more recent advisory. The agency also offers a series of tips on reducing the risk of succumbing to a ransomware attack. Basic advice, but it will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I was mildly amused, though, to read in the FBI tips:

– Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

It’s a bit tricky to back up data without connecting to the system used for primary storage. I think what the FBI probably meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted.

The tips include a link to an FBI brochure that unequivocally discourages victims from paying the ransom, as well as expanding on its advice. And it is clearer on the risk to backups:

 Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.

David Harley

Ransomware: the gift cards that keep on giving

While Bitcoin (and its competitors/peers, potentially, I suppose) have obvious advantages for the extortionist, we’ve seen a curious shift towards other forms of ransom payment recently. I described in Music-Loving Android.Locker Ransomware malware that demands payment in iTunes gift cards, while Lawrence Abrams for Bleeping Computer reports on something called TrueCrypter that demands payment either as 0.2 bitcoins or as $115 in Amazon gift cards: TrueCrypter Ransomware accepts payment in Bitcoins or Amazon Gift Card.

He also mentions an unnamed Android screen locker that also demands Amazon gift cards. He observes:

This is an odd choice of a ransom payment as the Amazon Gift Card funds can easily be tracked by Amazon.  This, and the fact that the payment confirmation system is broken, makes me believe that this program was made by an amateur rather than a seasoned malware developer.

He has a point, but I’m told there are forums where gift cards might be ‘laundered’ before they turn up in the virtual economy. Still, TrueCrypter looks very amateur for other reasons, too. Just clicking on the ‘Pay’ button decrypts your files. I suspect that won’t always be the case, though.

David Harley

DaaS-tardly Doxing

Here’s a slightly different twist on extortion that doesn’t involve ransomware. Steve Ragan describes for CSO Salted Hash how a Website offers Doxing-as-a-Service and customized extortion. The subtitle explains the business model:

Those posting Dox will get a commission, or they can pay to have someone’s personal details exposed

The amount of commission depends on the type of Doxing. In ascending order of payment:

  • Miscellaneous
  • Revenge
  • Paedophiles [the American spelling is used by the site: Cymmetria’s Nitsan Saddan is quoted as believing that it’s likely that ‘these are American players.’]
  • Law enforcement
  • Famous

The DaaS-tardly doxing service is priced according to the type of information collected, from the barest details to a complete profile. Ragan observes that the service doesn’t seem to be collecting customers – at any rate:

…the Bitcoin wallet used to process payments for this service has received no transactions.

And he has seen little traction on the site since he’s been monitoring it. Nevertheless, he predicts that this kind of activity will become more common.

David Harley