Kaspersky researcher on Russian ransomware ecosystem

Anton Ivanov for Kaspersky: A look into the Russian-speaking ransomware ecosystem.

He says:

One of the findings of our research is that 47 of the 60+ crypto ransomware families we’ve discovered in the last 12 months are related to Russian-speaking groups or individuals.

And:

While analyzing the attack statistics for 2016, we discovered that by the end of the year a regular user was attacked with encryption ransomware on average every 10 seconds, with an organization somewhere in the world hit around every 40 seconds.

Good article.

David Harley

LogicLocker PoC ICS ransomware

An ICS attack – or rather a PoC simulation – from Georgia Institute of Technology, making a big splash at RSA.

David Harley

Jolly Roger scuppers scammers

I’m not very good at engaging with tech support scammers directly on the phone. Back in the heyday of coldcalling scammers, I would try to string them along for a while just to see if they had any new wrinkles and gambits I ought to know about. But to be honest, I tended to get too angry, too quickly, and often blew it by telling them exactly what I thought of them. Or, in one or two cases, by dissolving into uncontrollable laughter at some of their more outrageous claims. But for me, it hasn’t really been about entertainment.

Certainly we’ve learned a lot over the years from people who’ve pretended to let a scammer onto their precious systems, but in reality have simply enticed him onto a disposable virtual machine and simply refreshed the image when they’d had their fun.  My only reservation is that if you let a scammer within a hundred miles of accessing your system remotely, you’d better be sure you know what you’re doing.

There are, of course, people who are at least in part driven by the desire for amusement and to waste a scammer’s time and energy. And while I think this is more a matter of diversion than of having a real impact on the problem, I certainly don’t object in principle to eating into a scammer’s profit margins.

David Bisson describes for Tripwire an interesting way to waste a scammer’s time : One Researcher’s Plan to Broadside Known Windows Tech Support Scammers. He says:

Jolly Roger Telephone Company … specializes in creating bots that blend artificial intelligence and pre-recorded phrases together all for the sake of “talking” with inbound telemarketer scammers. In most cases, the bots waste several minutes of the scammers’ time before the fraudsters catch on and disconnect.

Jolly Roger itself says:

…now there is a way to fight back.  The Jolly Roger Telephone Co. provides a friendly, agreeable, patient robot that talks to these rude telemarketers for you. It is happy to chat, and will typically keep an unwary salesperson engaged for several minutes.

I’m certainly not saying you should use its services, and I’m not even sure I’ll add it to the resources page here. But you might at least get some amusement by wandering around its site for a few minutes. Personally, I’d rather make a few scammers walk the plank.

David Harley

Backup and Ransomware

Ransomware isn’t the only reason to implement a good backup strategy – for home users as well as for businesses – but it’s a pretty good one, and these days you can’t afford a backup strategy that doesn’t take ransomware’s evil little ways into account.

In an article for Graham Cluley’s blog, David Bisson offers some pretty good advice, in a form that practically anyone can understand.

How to create a robust data backup plan (and make sure it works) – The backup basics that every end-user should know!

David Harley

ESET: Key Insights & Key Card Ransomware

ESET’s WeLiveSecurity blog put together an article combining commentary from Stephen Cobb, Lysa Myers and myself: Ransomware: Key insights from infosec experts.

Yesterday, the site also commented on a story – Austrian hotel experiences ‘ransomware of things attack’ – that I also touched upon for ITSecurity UK: Key Card Ransomware: News versus FUD.

David Harley

Backup and Ransomware – a Contender?

Backup is a critical component of any realistic strategy for countering ransomware.

I’ve been aware of Acronis in the area of backup software for some while but haven’t been familiar with their products, though I seem to remember seeing their trial versions on magazine giveaway CDs back in the days when I actually used to read ‘real’ IT magazines.

Recently I was contacted by their VP of Communications regarding their personal backup program, which apparently includes anti-ransomware and blockchain technology. Well, I can’t endorse the product because I haven’t used it, and I don’t do reviews. Well, not of other security-related products: that would be rather flaky ethically, since much of my income currently comes from providing services to a specific security company. (So if you’re one of the many people who’ve wanted me to tell them which anti-malware product they should buy, that’s why I’ve generally politely declined, in case I didn’t say so at the time.)

But I don’t see any harm in noting it as a possible layer of defence.

Acronis Active Protection  is claimed to ‘Ensure[s] constant data availability even when faced with a ransomware attack.’ As described here, it seems to use techniques not unlike those used by some mainstream anti-malware products* to detect a ransomware attack in process generically and in real time, and take appropriate countermeasures. I can’t, of course, say how effective those measures are, and I’m not going to take Acronis’s claim that it ‘solves…the nightmare’ without a large dollop of salt. However, the product isn’t pitched as replacing other security products, and the press release suggests better understanding of the nature of the ransomware problem than some other backup solution PR I’ve seen. So while I can’t make a recommendation as such, Acronis may indeed be worth looking more closely at if you’re not sure what to do about your backup strategy as one of your concerns about ransomware.

And if you’re not thinking about backup, you don’t understand the ransomware problem.

*However, the site does claim that Active Protection ‘doesn’t conflict with antivirus software and Windows Defender.’

David Harley

Ransomware targeting schools

Action Fraud warns that:

Fraudsters are posing [as] government officials in order to trick people into installing ransomware which encrypts files on victim’s computers [by] …cold calling education establishments claiming to be from the “Department of Education”. They then ask to be given the personal email and/or phone number of the head teacher/financial administrator.*

They claim that they need to email guidance to the person in authority because of sensitive comment. However, the attachment contains ransomware.

* Contains public sector information licensed under the Open Government Licence v3.0.

Commentary by Graham Cluley for BitDefender: Schools warned about cold-calling ransomware attacks

David Harley

 

Support Scammers hit Mac users with DoS attacks

 examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.

Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.

David Harley

 

Ransomware Roundup – Koolova, KillDisk and more

Koolova

Perhaps the oddest thing to pop up recently is the Koolova ransomware (which refers to itself as Nice Jigsaw): it encrypts files and threatens to delete them, but supplies a decryption key once the victim has read two articles: Google’s  Stay safe while browsing  and Bleeping Computer’s Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

Lawrence Abrams: Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware. Commentary by Graham Cluley for Tripwire: Ransomware Offers Free Decryption if you Learn About Cybersecurity.

I have to agree with Abrams that there’s something creepy (to say the least) about this. But not only because it cites one of his own articles. Even though the ‘ransom’ isn’t monetary, there are less offensive ways in which someone could make that ‘educational’ point without compromising someone else’s data and without the barely-concealed gloating because of the power they have over the victim but choose not to exercise. And I find it hard to believe that the people behind this are always going to be so ‘nice’. Are they priming the pump for a different kind of attack?

KillDisk

For ESET, Robert Lipovsky and Peter Kálnai have more information on KillDisk’s recent foray into ransomware: KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt.

They summarize:

The recent addition of ransomware functionality seems a bit unusual, as previous attacks were cyber-espionage and cyber-sabotage operations. Considering the high ransom of around USD 250,000 – resulting in a low probability that victims would pay up, in addition to the fact that the attackers have not implemented an efficient way of decrypting the files, this seems more like a nail in the coffin, rather than a true ransomware campaign.

GoldenEye

Meanwhile, the Petya-derived GoldenEye has been targeting German-speaking HR departments as a way into the lucrative corporate ransomware market. According to Checkpoint:

The first attachment is a PDF containing a cover letter which has no malicious content and its primary purpose is to lull the victim into a false sense of security. The second attachment is an Excel file with malicious macros unbeknown to the receiver.

Not a novel approach, but it’s worked well for other types of malware (including Cerber), and I see no reason why it shouldn’t be effective this time, even though (as David Bisson points out):

While those in HR should expect to receive emails from all kinds of people, they shouldn’t give anyone who sends a Microsoft Office document with macros enabled the time of day. In fact, organizations should make sure that every computer in every department disables Office macros by default.

CryptoMix/CryptFile2

Cert.PL offers analysis of the newly-polished tur^H^H^H CryptFile2, now known as CryptoMix: Technical analysis of CryptoMix/CryptFile2 ransomware

Among its ‘interesting’ features:

  • The ‘insane’ ransom amount (currently 5 bitcoin)
  • There’s a suggestion in the analysis that paying is likely to generate further ransom demands, but not the decryption keys
  • The crooks claim that the ransom will be contributed to a children’s charity, and that the victim will get free PC support. Yeah, right.

In fact, none of this information is particularly new, but the technical analysis is interesting.

DeriaLock

A fast-evolving threat appeared on Christmas Eve 2016, but researchers quickly provided free decryptors.

Decryptors are available from Checkpoint and from MalwareHunterTeam’s Michael Gillespie.

Unnamed PHP Ransomware(-ish)

Checkpoint also has a decryptor for the unnamed PHP ransomware also described in its article. In fact, ransomware might be the wrong word in this case, since at present it displays no ransom ‘note’ and has no known channel for paying a ransom.

David Harley

LG TV ransomware revisited

In case you were wondering what happened as regards the story I previously blogged here – Smart TV Hit by Android Ransomware – it appears that LG has decided after all to make the reset instructions for the TV public rather than requiring an LG engineer to perform the task for only twice the price of a new set… Note that this was an old model running Android, not a newer model running WebOS.

Catch-up story by David Bisson (following up on his earlier story for Metacompliance) for Graham Cluley’s blog: How to remove ransomware from your LG Smart TV – And the ransomware devs go home empty-handed!

The article quotes The Register’s article here, which details the instructions, but also links to a video on YouTube by Darren Cauthon – who originally flagged the problem – demonstrating the process.

[Also posted at Mac Virus]

David Harley