Lockdroid’s text-to-speech unlocking

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

David Harley

Tech Support Scams in Spain

My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.

David Harley

Kaspersky researcher on Russian ransomware ecosystem

Anton Ivanov for Kaspersky: A look into the Russian-speaking ransomware ecosystem.

He says:

One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals.

And:

While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.

Good article.

David Harley

LogicLocker PoC ICS ransomware

An ICS attack – or rather a PoC simulation – from Georgia Institute of Technology, making a big splash at RSA.

David Harley

Jolly Roger scuppers scammers

I’m not very good at engaging with tech support scammers directly on the phone. Back in the heyday of coldcalling scammers, I would try to string them along for a while just to see if they had any new wrinkles and gambits I ought to know about. But to be honest, I tended to get too angry, too quickly, and often blew it by telling them exactly what I thought of them. Or, in one or two cases, by dissolving into uncontrollable laughter at some of their more outrageous claims. But for me, it hasn’t really been about entertainment.

Certainly we’ve learned a lot over the years from people who’ve pretended to let a scammer onto their precious systems, but in reality have simply enticed him onto a disposable virtual machine and simply refreshed the image when they’d had their fun.  My only reservation is that if you let a scammer within a hundred miles of accessing your system remotely, you’d better be sure you know what you’re doing.

There are, of course, people who are at least in part driven by the desire for amusement and to waste a scammer’s time and energy. And while I think this is more a matter of diversion than of having a real impact on the problem, I certainly don’t object in principle to eating into a scammer’s profit margins.

David Bisson describes for Tripwire an interesting way to waste a scammer’s time : One Researcher’s Plan to Broadside Known Windows Tech Support Scammers. He says:

Jolly Roger Telephone Company … specializes in creating bots that blend artificial intelligence and pre-recorded phrases together all for the sake of “talking” with inbound telemarketer scammers. In most cases, the bots waste several minutes of the scammers’ time before the fraudsters catch on and disconnect.

Jolly Roger itself says:

…now there is a way to fight back.  The Jolly Roger Telephone Co. provides a friendly, agreeable, patient robot that talks to these rude telemarketers for you. It is happy to chat, and will typically keep an unwary salesperson engaged for several minutes.

I’m certainly not saying you should use its services, and I’m not even sure I’ll add it to the resources page here. But you might at least get some amusement by wandering around its site for a few minutes. Personally, I’d rather make a few scammers walk the plank.

David Harley

Backup and Ransomware

Ransomware isn’t the only reason to implement a good backup strategy – for home users as well as for businesses – but it’s a pretty good one, and these days you can’t afford a backup strategy that doesn’t take ransomware’s evil little ways into account.

In an article for Graham Cluley’s blog, David Bisson offers some pretty good advice, in a form that practically anyone can understand.

How to create a robust data backup plan (and make sure it works) – The backup basics that every end-user should know!

David Harley

ESET: Key Insights & Key Card Ransomware

ESET’s WeLiveSecurity blog put together an article combining commentary from Stephen Cobb, Lysa Myers and myself: Ransomware: Key insights from infosec experts.

Yesterday, the site also commented on a story – Austrian hotel experiences ‘ransomware of things attack’ – that I also touched upon for ITSecurity UK: Key Card Ransomware: News versus FUD.

David Harley

Backup and Ransomware – a Contender?

Backup is a critical component of any realistic strategy for countering ransomware.

I’ve been aware of Acronis in the area of backup software for some while but haven’t been familiar with their products, though I seem to remember seeing their trial versions on magazine giveaway CDs back in the days when I actually used to read ‘real’ IT magazines.

Recently I was contacted by their VP of Communications regarding their personal backup program, which apparently includes anti-ransomware and blockchain technology. Well, I can’t endorse the product because I haven’t used it, and I don’t do reviews. Well, not of other security-related products: that would be rather flaky ethically, since much of my income currently comes from providing services to a specific security company. (So if you’re one of the many people who’ve wanted me to tell them which anti-malware product they should buy, that’s why I’ve generally politely declined, in case I didn’t say so at the time.)

But I don’t see any harm in noting it as a possible layer of defence.

Acronis Active Protection  is claimed to ‘Ensure[s] constant data availability even when faced with a ransomware attack.’ As described here, it seems to use techniques not unlike those used by some mainstream anti-malware products* to detect a ransomware attack in process generically and in real time, and take appropriate countermeasures. I can’t, of course, say how effective those measures are, and I’m not going to take Acronis’s claim that it ‘solves…the nightmare’ without a large dollop of salt. However, the product isn’t pitched as replacing other security products, and the press release suggests better understanding of the nature of the ransomware problem than some other backup solution PR I’ve seen. So while I can’t make a recommendation as such, Acronis may indeed be worth looking more closely at if you’re not sure what to do about your backup strategy as one of your concerns about ransomware.

And if you’re not thinking about backup, you don’t understand the ransomware problem.

*However, the site does claim that Active Protection ‘doesn’t conflict with antivirus software and Windows Defender.’

David Harley

Ransomware targeting schools

Action Fraud warns that:

Fraudsters are posing [as] government officials in order to trick people into installing ransomware which encrypts files on victim’s computers [by] …cold calling education establishments claiming to be from the “Department of Education”. They then ask to be given the personal email and/or phone number of the head teacher/financial administrator.*

They claim that they need to email guidance to the person in authority because of sensitive comment. However, the attachment contains ransomware.

* Contains public sector information licensed under the Open Government Licence v3.0.

Commentary by Graham Cluley for BitDefender: Schools warned about cold-calling ransomware attacks

David Harley