Reporting cybercrime

I haven’t checked the links yet, but Yasin Soliman’s article for Graham Cluley’s site looks really useful. How to report a cybercrime – Who you gonna call? includes a table with contact points in the US appropriate to several categories: I’m guessing that followers of this blog will find the links for ‘Internet fraud and SPAM’ particularly relevant. There are also links to agencies in other parts of the world.

The trouble with compiling such lists of links (which I’ve done many times over the years, in a variety of contexts) is that the links change over time, not only because web pages get changed around, but because agencies (like security companies) are renamed or replaced, or disappear altogether. Right now, though, this looks like an excellent resource.

David Harley

Europol says ‘No More Ransom’

Europol, the European Union’s law enforcement agency, has announced an initiative to address the ransomware issue. (Hat Tip to Kevin Townsend, who first brought it to my attention.)

The agency’s announcement tells us that:

No More Ransom(www.nomoreransom.org) is a new online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransom to the cybercriminals…

…The project has been envisioned as a non-commercial initiative aimed at bringing public and private institutions under the same umbrella. Due to the changing nature of ransomware, with cybercriminals developing new variants on a regular basis, this portal is open to new partners’ cooperation.

The site includes:

  • Crypto Sheriff – a form for helping victims try to find out which malware they’re affected by and whether a decrypter is available. Sounds like a potentially useful resource, even though the little graphic reminds me a little of the late, lamented Lemmy rather than a hi-tech search facility. Somewhat similar to MalwareHunter’s ID Ransomware facility.
  • A Ransomware Q&A page
  • Prevention Advice
  • An About page
  • Advice on how to Report a Crime
  • And a limited range of decryption tools from Kaspersky (mostly) and Intel.

Infosecurity Magazine’s commentary notes that:

‘In its initial stage, the portal contains four decryption tools for different types of malware, including for CoinVault and the Shade Trojan. In May, ESET claimed that it had contacted TeslaCrypt’s authors after spotting a message announcing they were closing their ‘project’ and offered a decryption key.

‘Raj Samani, EMEA CTO for Intel Security, told Infosecurity that both Intel Security and Kaspersky had developed decryption tools to apply against Teslacrypt, and these will be posted to the website shortly.

Well, I’m not in a position to compare the effectiveness of various TeslaCrypt decrypters, and I do understand that it’s important for the “The update process for the decryption tools page …[to]… be rigorous.” Kaspersky in particular has a good reputation for generating useful decrypters. And the AVIEN site is certainly not here to pursue ESET’s claim to a portion of the PR pie. Still, there are decrypters around from a variety of resources apart from the companies already mentioned (see Bleeping Computer’s articles for examples). I hope other companies and researchers working in this area will throw their hats into the ring in response to Europol’s somewhat muted appeal for more partnerships, so that the site benefits from a wider spread of technical expertise and avoids some of the pitfalls sometimes associated with cooperative resources. As it states on the portal:

“the more parties supporting this project the better the results can be, this initiative is open to other public and private parties”.

Here are some links for standalone utilities that I’ve listed on the ransomware resource pages here. [Note, however, that these haven’t been rigorously checked, or not by me at any rate.]

Standalone Decryption Utilities

I haven’t personally tested these, and they may not work against current versions of the ransomware they’re intended to work against. Note also that removing the ransomware doesn’t necessarily mean that your files will be recovered. Other companies and sites will certainly have similar resources: I’m not in a position to list them all.

Bleeping Computer Malware Removal Guides

ESET standalone tools

Included with tools for dealing with other malware.

Also: How do I clean a TeslaCrypt infection using the ESET TeslaCrypt …

Kaspersky Tools

CoinVault decryption tool
CryptXXX decryption tool

Trend Micro Tools

Emsisoft Decryptors

18-4-2016 [HT to Randy Knobloch] N.B. I haven’t tested these personally, and recommend that you read the ‘More technical information’ and ‘Detailed usage guide’ before using one of these.

David Harley

 

 

Decrypter for Locky-imitating PowerWare

Zeljka Zorz reports for Help Net Security: Decrypter for Locky-mimicking PowerWare ransomware released – Palo Alto Networks’ researchers have created a decrypter for the variant of the PoshCoder ransomware that imitates the Locky ransomware. Josh Grunzweig’s decryptor is a Python script available here.

Zeljka points out ‘They can try following these instructions on Python.com on how to run a Python script on Windows, or ask someone more knowledgeable to help them clean their machine up.’

Added to the relevant resources page here.

David Harley

Jackware: carjacking and ransomware

My friend and colleague Stephen Cobb, for ESET, recently posted an article on Jackware: When connected cars meet ransomware. He says:

I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.

Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”

So speculation, but informed speculation, a hot topic, and well-written (of course).

David Harley

Ransomware: F-Secure looks at the ‘customer’ experience

Useful resources from F-Secure:

Commentary by The Register: Ransomware gang: How can I extort you today? Step 1. Improve customer service. Step 2.???? Step 3 PROFIT!!!

David Harley

Delilah: Ransomware and Recruitment

When Chuck Berry recorded ‘Beautiful Delilah’ back in the 1950s, he wasn’t thinking of anything like the Trojan described by Diskin, according to Gartner’s Avivah Litan, as gathering ‘enough personal information from the victim so that the individual can later be manipulated or extorted.’ By which the company seems to include recruitment of insiders by forcing them to leak data.

The article concludes:

Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web.

Commentary by Darren Pauli for The Register: Extortion trojan watches until crims find you doing something dodgy – And then the extortion starts and you’re asked to steal critical data

David Harley

Pokémon beGOne – malware exploiting a popular craze

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

If it’s encrypting, perhaps it’s ransomware

Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data

A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:

Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted

David Harley

Ranscam: paying up won’t get your files back

Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.

Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:

Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.

The Talos blog: When Paying Out Doesn’t Pay Off.

Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.

David Harley