Quick ransomware links roundup

Lawrence Abrams for Bleeping Computer: The Globe Ransomware wants to Purge your Files

Jornt van der Wiel, for Kaspersky: Wildfire, the ransomware threat that takes Holland and Belgium hostage. Summary/commentary by Darren Pauli for The Register: Intel douses Wildfire ransomware as-a-service Euro menace – Group scored $79k a month with infect-o-tronic rent-a-bot

Lawrence Abrams for Bleeping Computer: New Alma Locker Ransomware being distributed via the RIG Exploit Kit

Links added to the ransomware families resource page.

David Harley

Ransomware Links/Articles Roundup

As I’m a little busy elsewhere right now, this is just a roundup of links:

Trend Micro: New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

Check Point: CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service. Download the report from here, if you don’t mind sharing your contact details.

David Bisson for Graham Cluley’s blog: Cerber ransomware operation exposed… and boy is it lucrative! Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world

Help Net Security: The inner workings of the Cerber ransomware campaign

David Bisson for Graham Cluley’s blog (again): Pokémon Go for Windows? Beware ransomware! Pokémaniacs at risk.

And David Bisson again: Shade malware attack examines your finances before demanding ransom – Remote control now. Encryption later.

David Harley

Hitler Ransomware

For once, an article about Hitler that doesn’t invoke Godwin’s law

The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.

I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.

David Harley


Thermostat Hacking – a Hot Topic

At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’

  • Thermostat Ransomware: a lesson in IoT security. They observe that ‘Our intention was to draw attention to the poor state of security in many domestic IoT devices. Also to raise awareness in the security research community that it’s not all about software hacking. Hardware hacking is often an easier vector.’

  • Commentary by The Register: Thermostat ransomware

It’s not clear right now whether this is another aspect of the story noted by Security Week about Vulnerabilities Exposed Trane Thermostats to Remote Hacking, based on research by Jeff Kitson for Trustwave. But it sounds very similar.

David Harley

Ivan Kwiatkowski on Scamming the Support Scammer

Today’s second look at a link between tech support scams and ransomware is a bit more tenuous. In fact, it deals with a support scammer who was caught unaware by ransomware.

After helping his parents out with a scam website that had tried to trick them into thinking their system had been compromised by the Zeus banking Trojan, Ivan Kwiatkowski accessed the same site and called the ‘helpline number’. After ‘agreeing’ to buy a support package, he offered for payment a ‘fake but valid’ credit card number: that is, one that isn’t associated with a real account, but is correctly formatted according to the format allocated to a real provider. He persuaded the scammer that he might be reading the card details wrong, and offered to send a picture of the card. What he sent, though, was a zipped Javascript file which would download Locky and encrypt the scammer’s files.

I’m not generally in favour of fighting malice with malice, but quite a few researchers who’ve come across this story have been observed trying to conceal an expression of glee, especially as there is no free decrypter for Locky.

Kwiatkowski tells the full story here: How I got tech support scammers infected with Locky

David Harley

Ransomlock.AT: ransomware meets support scams

It’s been a while since I’ve had occasion to talk about the issues that sometimes link tech support scams and ransomware, but now a couple of relevant items have come along more or less simultaneously. First, let’s look at the malware Symantec calls Trojan.Ransomlock.AT.

Symantec describes ‘a new ransomware variant that pretends to originate from Microsoft and uses social engineering techniques to trick the victim into calling a toll-free number to “reactivate” Windows.’ (That is, to unlock the computer.) The article is here: New ransomware mimics Microsoft activation window. The Symantec researchers tried to contact the ‘helpline’ number 1-888-303-5121 but gave up after 90 minutes of on-hold music and messages. Interestingly, a web search for that number turns up dozens of links to sites claiming to help ‘remove’ the number, which Symantec believes to have been promoted by the ransomware operators or their affiliates.

Fortunately, they spent less time on concealing the unlock code, for the moment at any rate. Symantec tells us that ‘Victims of this threat can unlock their computer using the code: 8716098676542789’.

SE Labs tests products against ransomware

Testing lab SE Labs has been testing anti-malware programs in order to evaluate their effectiveness against ransomware: Anti-malware vs. ransomware: latest reports

There are reports covering products intended for large businesses/enterprises, small-to-medium businesses, and home users/consumers. I haven’t looked at them in detail yet, but I expect them to be up to Simon Edwards’ usual high standards.

[This item also posted to the Anti-Malware Testing blog.]

David Harley