Ransomware: Affected Platforms & Devices

[Back to the Ransomware Resource Page]

  • ElasticSearch
  • MongoDB
  • Instagram
  • Windows
  • Microsoft Office
  • OS X (macOS)
  • The Internet of Things (IoT)
  • Android
  • iOS
  • Linux
  • Ransomware and Healthcare
  • Ransomware and the Public Sector
  • Ransomware and Education

File-encrypting ransomware is usually aimed at Windows users but we are aware of an increasing number of instances of ransomware that specifically target other platforms.

ElasticSearch

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

MongoDB

Following reports of tens of thousands of MongoDB database installations attacked with ransomware, the maker published advice on how to avoid unsafe defaults. Thomas Claburn for The Register (11th January 2017):

How to secure MongoDB – because it isn’t by default and thousands of DBs are being hacked – Stop right now and make sure you’ve configured it correctly

Instagram

Graham Cluley regarding a 16-year-old accused of demanding money from victims for regaining access to their Instagram accounts: COULD YOUR SELFIES BE HELD TO RANSOM? ALLEGED INSTAGRAM ACCOUNT HACKER ARRESTED

Windows

Article from Checkpoint: Digging Deeper: How Ransomware and Malware use Microsoft Windows’ Known Binaries

Looks at processes:

  • svchost.exe
  • explorer.exe
  • sdbinst.exe

And also at specific malware/ransomware:

  • Cryptowall (ransomware)
  • Dridex (banking malware, but its name has been mentioned a lot lately in connection with ransomware distribution campaigns)
  • Tinba (Tiny Banker)

Microsoft Office

29th June 2016

Avanan: Widespread Attack on Office 365 Corporate Users with Zero-day Ransomware Virus

SC Magazine commentary

The Register commentary: Ransomware scum target corporate Office 365 users in 0-day campaign – Spam flood tried to drop malicious macros in inboxes

Commentary from SANS

OS X (macOS)

[22nd February 2017]

MARC-ETIENNE M.LÉVEILLÉ for ESET: New crypto-ransomware hits macOS – malware that calls itself ‘Patcher’

[15th February 2017]

Article from Sophos: RSA 2017: Deconstructing macOS ransomware

[6th January 2016]

Article for this site: Support Scammers hit Mac users with DoS attacks. Jérôme Segura (for Malwarebytes) examines another DoS attack somewhere on the thin borderline between ransomware and tech support scams.

——————————————-

There are instances of Javascripts that mess with Safari. I’ve seen it suggested that Cryptowall works on OS X, but I’m pretty sure that was based on media misinterpretation of Cisco’s analysis of Cryptowall 2.0. (But since Cryptowall continues to be developed, who knows what surprises they have in store?)

I’ve recently seen blogs from OPSWAT and Symantec suggesting that the Mabouia ransomware is a wake-up call to Mac users that they need antivirus software. I’m certainly not going to say that security software isn’t relevant to OS X users who’ve already been targeted by significant attacks, and it’s not at all impossible that criminals will invest more effort into adding the sizeable population of OS X users to their pool of potential victims, but the sky has not yet fallen. The impact of this Proof of Concept attack has yet to be seen.

See also this blog from Pierluigi Paganini and a video from Rafael Salema Marques who developed it.

There was a story from Kaspersky back in 2014 about Unfinished ransom.a.r MacOS X, which they called Trojan-Ransom.OSX.FileCoder.a but it barely made a ripple.

While working on an internal project at ESET, I came across an article I wrote for Information Security Magazine back in 2013: Mac Ransomware Deviating from the (java)script. With the recent kerfuffle about KeRanger, it’s interesting to recall one of its (rare) OS X targeting precursors. In this case, there wasn’t actually a malicious executable as such, and the whole system wasn’t really locked, even though a pop-up told the victim that his or her browser was locked and that ‘ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.’ However, the pop-up did make it very difficult to quit Safari, which was probably scarier than it sounds for the victims. The story was based on an article by Jérôme Segura for Malwarebytes. Irritatingly, there doesn’t seem to be a link in my article, but this looks like Jérôme‘s article: FBI Ransomware Now Targeting Apple’s Mac OS X Users

[21 April 2016]

8th July 2016

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

KeRanger

The Internet of Things (IoT)

8th August 2016

At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’

[22nd July 2016]

My friend and colleague Stephen Cobb, for ESET, recently posted an article on Jackware: When connected cars meet ransomware. He says:

I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.

Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”

So speculation, but informed speculation, a hot topic, and well-written (of course).

———————————————

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

Proof-of-concept tests have already been performed where, for example, control of an automobile has been successfully effected totally remotely. For this reason, if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

(That whole section in the ESET report is worth thinking about.)

Better Business Bureau article: BBB: Staying aware of ‘ransomware’ smartphone scammers. I think what we’re seeing is not a resurgence, but a steady evolution of malware as described in that ESET report

[26th April 2016] A report by  the Institute for Critical Infrastructure Technology (ICIT) is actually fairly generalist and speculative, in particular in its short mention of the Internet of Things, but it’s been picked up by Matt Klassen – IoT Infrastructure is Ripe for Ransomware – and Danny Palmer – Why the Internet of Things is the next target for ransomware: Devices from pacemakers to cars could be rendered useless by ransomware infections, warns a think tank – as a dramatic inevitability, rather than as an interesting speculation. That said, this article does quote the report as saying that “The only defense is a layered defense, of which endpoint security is an essential layer”, with which I pretty much agree, while deploring the phrase ‘next-gen cyberfortification’.

[27th April 2016] For ESET’s WeLiveSecurity blog, Graham Cluley considers – Ransomware and the Internet of Things – another report by the Institute for Critical Infrastructure Technology on ransomware, by the same authors . It takes up the same theme of ‘The only defense is a layered defense’. On the whole, I like Combatting the ransomware blitzkreig better than the report noted above, and I agree that:

‘…the issue the ICIT is raising in this report is not too far fetched…’

And certainly we should be

‘…more concerned that security is treated as a priority by all companies manufacturing internet-enabled devices.’

Ransomware attacks on the Internet of Things (and certainly how imminent they are) remain largely speculation rather than fact, but the time to prepare for such attacks is before they start. In any case, it’s well worth looking now at the other issues raised by the report. I can’t say I agree with every word, but there’s lots of good information here.

A somewhat overheated summary of the ICIT report: Why the Internet of Things is the next target for ransomware – Devices from pacemakers to cars could be rendered useless by ransomware infections, warns a think tank. (April 25th 2016).

Will ransomware spread to the IoT? Of course, and we’ll learn the hard way about manufacturers who didn’t bake security into their devices. Soon? Dunno. Will the world go into meltdown? Unlikely. The IoT is spread over too many disparate devices and platforms for an instant worldwide catastrophe.

A curate’s egg of data and speculation from Symantec and Black Hat via CSO Online: Report: IoT is the next frontier for ransomware

Android

[February 23rd 2017] Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

[February 20th 2017]

ONDREJ KUBOVIČ for ESET: Trends in Android ransomware

[January 2017]

The Register: More mobe malware creeps into Google Play – this time, ransomware – Charger seeks to drain bank accounts of unlucky ‘droids. Source, Checkpoint: Charger Malware Calls and Raises the Risk on Google Play

December 28th 2016:

Software engineer Darren Cauthon tweeted about how: ‘Family member’s tv is bricked by Android malware. #lg wont disclose factory reset. Avoid these “smart tvs” like the plague.’

To put this into some perspective, this isn’t a recent model: he explains that ‘It was one of the first google tvs.’ (Google TV is no longer supported, and LG smart TVs now run on WebOS, apparently. However, Google is said to be working on another Android-based platform.)

Catalin Cimpanu reports for Bleeping Computer that ‘Cauthon says he tried to reset the TV to factory settings, but the reset procedure available online didn’t work.’ When contacted, it seems that LG suggested that an engineer could reset the TV at a cost of $340. Cimpanu suggests that the malware is probably FLocker (a.k.a. Dogspectus).

Commentary by David Bisson for MetaCompliance here.

December 21st 2016

Faketoken

Romain Unuchek for SecureList: The banker that encrypted files

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. In Lucian’s article he links to a September article by Anton Kivva on Tordow (see below), not to the one he quotes  by Romain Unuchek (as above) on Trojan-Banker.AndroidOS.Faketoken. I’ve messaged him, so that may have changed by the time you read this.

Commentary by Richard Chirgwin for the Register: Bad news, fandroids: Mobile banking malware now encrypts files – First Faketoken stole credentials, now it holds data to ransom

Tordow

Anton Kivva for Kaspersky (September 20th 2016), describing malware discovered in February 2016 (Trojan-Banker.AndroidOS.Tordow.a): The banker that can steal anything.

According to Comodo (December 13th 2016), a ‘2nd version’ has acquired extra functionality characteristic of ransomware: Comodo Threat Research Labs Warns Android Users of “Tordow v2.0” outbreak. They refer to it as Android.spy.Tordow.

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. (The other malware he’s referring to is Faketoken, though in Lucian’s article he links to the September article by Anton Kivva, not to the one he quotes  by Romain Unuchek. I’ve messaged him, so this may have changed by the time you read this.)

October 16th 2016

Interesting statistics from BitDefender : Ransomware becomes the main threat on Android in the US, UK, Germany, Denmark, Australia.]

August 10th 2016

Lengthy description/analysis of an interesting Android ransomware threat from McAfee: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel.

I look forward to hearing commentary from Grumpy Cat. There is, however, no truth in rumours of a German language version known as BlackForestGato.

September 29th 2016

Older versions of screenlockers often labelled  Android.Lockscreen denied Android users access to their own devices by locking the screen using a hardcoded passcode, which could be found by reverse engineering. However, as Dinesh Venkatesan reports for Symantec:

New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

Symantec’s article: Android.Lockscreen ransomware now using pseudorandom numbers – The latest Android.Lockscreen variants are using new techniques to improve their chances of obtaining ransom money.

Commentary by David Bisson for Tripwire.

 [Added 15th July 2016 and published as separate article on this site]

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

[Added 7th July 2016]

Kaspersky report on growth in Android ransomware: KSN Report: Mobile ransomware in 2014-2016

Commentary by John Leyden for The Register: Android ‘ransomware surge’

[Also added 7th July 2016, copy/pasted from the Mac Virus blog]

Graham Cluley describes How Android Nougat will help protect your password from ransomware – New condition will partially prevent unwanted Android lockscreen password resets.  The new OS upgrade will change the resetPassword API so that it can set a lockscreen password, but can’t reset it.

Which means that the new OS won’t stop malware setting the password if the user hasn’t already set one. Which sounds like a pretty good extra incentive to set one if you haven’t already. However, it looks as though it will also stop security software from disinfecting an upgraded phone if it becomes infected.

Nougat (Android 7.0) is scheduled to be rolled out later this year (2016).

[Added 25th May 2016]

For Malwarebytes, Chris Boyd reports on the Cyber.Police Android ransomware posing as an ‘Adult Player”, and its ludicrous claim that the victim can pay a ‘Treasury’ fine with iTunes gift cards. Who’d have thought that law enforcement were such dedicated music lovers?

[Added 18th May 2016]

SonicWALL warns of an embryonic screenlocker that it expects to see more of in the future. Commentary by Kaspersky – MALWARE-LACED PORN APPS BEHIND WAVE OF ANDROID LOCKSCREEN ATTACKS – and The Register: Smut apps infecting Androids with long-gestation nasties – Is that a KitKat in your pocket or are you just trying to p0wn me?

[Added 18/2/2016]

Just published: an excellent paper from ESET on The Rise of Android Malware. See also the introductory blog article here.

Android ransomware has been evolving from simple screen-locking malware to Simplocker, “the first Android ransomware to actually encrypt user files“, to Lockerpin, a type of screenlocking ransomware that modifies the phone’s unlock code so that as another ESET colleague – malware researcher Lukas Stefanko – puts it:

…users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.

 

iOS

iOS ransomware is unusual, but not entirely unknown: see The Increasingly Strange Case of the Antipodean iOS Ransomware. However, some of what are seen as iOS ransomware messages may actually be variations on the tech support scam theme where the pop-up locks the browser but not the device (and even the Safari issue can be fixed). I think this is the case with the ‘iScam’ noted in a Better Business Bureau article: BBB: Staying aware of ‘ransomware’ smartphone scammers

8th July 2016

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

Linux

Linux has attracted some attention recently. Notably:

FairWare Linux ransomware: Reported on Bleeping Computer here.

Description by David Bisson for Tripwire: Website Down? New FairWare Ransomware Could Be Responsible

For the Register, Darren Pauli reports Plain cruelty: Boffins flay Linux ransomware for the third time – World’s most determined VXers can’t get a break.

The article refers to the ransomware commonly classified as Linux.Encoder, for which BitDefender has published a decryption utility addressing the ransomware gang’s third attempt to generate ransomware for which the security industry won’t be able to provide a free fix. No cigar this time, either…

Amusing as this may seem, BitDefender’s crypto specialist Radu Caragea rightly points out that:

“Next time, hackers could actually come up with a working version of the ransomware that won’t be as easy to decrypt.”

Sadly, the days are gone when you could rely on the security industry to come up with a way of getting your files back (not that there was ever a time when recovery was guaranteed). Detecting the malware is one thing: too often, recovering files is much tougher. You really need to ensure that you have backups available even if your system is trashed.

Sophos apparently has a When Penguins Attack podcast, aimed at anyone who still thinks Linux is impregnable.

Ransomware and Healthcare

10th October 2016

Cahal Milmo for iNews: Dozens of NHS hospitals targeted by cyber blackmailers

22nd July 2016

The fact sheet from HHS Office of Civil Rights on ransomware, HIPAA compliance and enforcement, and commentary from Kevin Fu on why the presence of ransomware (or any other malware) ‘is a security incident under the HIPAA Security Rule.’

7th July 2016

The many faces of ransomware by Morphisec’s Mordecai Guri for Help Net Security, focuses largely on ransomware targeting the healthcare industry.

25th May 2016: Paul Ducklin’s commentary for Sophos on Ransomware-hit hospital faces second demand despite paying up

Help Net Security’s article Crypto ransomware hits German hospitals, based on this article from DW, also includes links to its story about the attack on the Hollywood Presbyterian Medical Center, and another story about a New Zealand hospital  hit with Locky. Commentary by John Leyden for The Register here.  And an article from My News LA about an apparent attack on the Los Angeles Department of Health.

As far as I can make out there is no firm indication of links between all these attacks, or that hospitals are being specifically targeted by specific malware, but the clustering is worrying.  If nothing else, it is clear that hospitals, like any other organization, survive such attacks better if they have suitably-protected backups and other well-administered security precautions in place.

 for Malwarebytes on Canadian Hospital Serves Ransomware Via Hacked Website..

Graham Cluley for Tripwire on how Ransomware Forces Hospitals to Shut Down Network, Resort to Paper, relating to the ransomware attack on the MedStar Health group of hospitals (29th March 2016)

31/3/2016: I do not like that SamSam-I-am ransomware

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

Pierreluigi Paganini: Why malware like the Samsam ransomware are so dangerous for hospitals?

[June 7th 2016]

Fortinet: Move over Healthcare, Ransomware Has Manufacturing In Its Sights

Ransomware and the Public Sector

Widening the discussion slightly to the public sector and beyond…

Kat Hall reports for The Register on an attack against North Dorset Council apparently involving 6,000 files compromised by ransomware. The council refused to pay the ransom and are quoted as saying:

“The ‘ransomware’ attack was quickly detected by our security systems and action was taken to minimise the impact on our systems. No customer data was compromised.”

G-Data’s Eddy Willems is quoted as saying that organizations are being targeted that are less likely to have up-to-date protection and therefore more likely to pay the ransom. ESET’s Mark James didn’t suggest specific targeting, but did observe that public sector organizations are vulnerable because of the sensitivity of the data they hold and the fact that they are likely to be hampered by budget constraints.

Having spent much of my life working for the National Health Service, I’m all too aware of those constraints, and have a great deal of sympathy for executives who have to walk the tightrope between the need for the best affordable security and the need to prioritize direct spending on patient care.   Similar concerns apply in other public sector organizations, charities and so on. When it comes to ransomware, however, the risk it poses to client data and wellbeing does call for an effective security strategy that prioritizes data and system backups and data recovery. It sounds as if the Council in this case were properly prepared.

Help Net Security’s article Crypto ransomware hits German hospitals, based on this article from DW, also includes links to its story about the attack on the Hollywood Presbyterian Medical Center, and another story about a New Zealand hospital  hit with Locky. Commentary by John Leyden for The Register here.  [Added later: Commentary by John Leyden for The Register here. And I’ve just caught up with an article from My News LA about an apparent attack on the Los Angeles Department of Health.]

As far as I can make out there is no firm indication of links between all these attacks, or that hospitals are being specifically targeted by specific malware, but the clustering is worrying.  If nothing else, it is clear that hospitals, like any other organization, survive such attacks better if they have suitably-protected backups and other well-administered security precautions in place.

Going beyond healthcare to the Critical National Infrastructure (though in the UK the NHS is considered part of the CNI, or was…), here’s one of the articles relating to an electric utility in Michigan all but shut down by ransomware: Electric utility hit by ransomware shuts down IT systems for a week (Sophos, 4th May 2016)

Ransomware and Education

[June 8th 2016]

David Bisson for Tripwire: University Pays $20K Ransom Following Ransomware Attack

And because the University of Calgary has a special place in virus creation history: Symmetry and Virus Writing

[Back to the Ransomware Resource Page]