Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.
Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.
Jérôme Segura examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.
Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.
Interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware.
A closer look at a tech support screen locker
This AVIEN article also added to Tech Support Scams and Ransomware, to Specific Ransomware Families and Types, and to PC ‘Tech Support’ Scam Resources. The latter has now been renamed by dropping the reference to cold-calls, as cold-calling is no longer the only (or, arguably, the most effective) means of implementing tech support scams.
Hat tip to David Bisson, whose commentary for Graham Cluley’s blog called the issue to my attention.
Support scammers tend to be seen by people with a reasonable understanding of technology as being pretty low-grade, as scammers go.
‘Support desk’ scammers are sometimes subjected to humiliating telephone exchanges by people who take an understandable pleasure in wasting their time by pretending to be even dumber victims. They capitalize on the fact that scammers at this level are often easily confused if the victim doesn’t follow the script, and don’t have the technical knowledge to respond appropriately to reverse social engineering. Yet some of the tricks they deploy to convince victims that their systems are compromised so that they seek help from a fake helpline have become surprisingly sophisticated. As have the scammer organizations themselves.
For Malwarebytes, William Tsing offers an explanation as to how support scammers ‘can be sophisticated enough to set up infrastructure handling and network tracking, SEO cloaking, and payment processing.’ His suggestion is that behind the scam companies is a ‘criminal underclass’ offering prefabricated scam packages ‘that only require a credit card and ill intent to set up.’ And since most cybercrime works on a similar model, that comes as no surprise. In his article, he dissects a specific example of a Scam in a Box: Scamming as a service – seriously.
For Malwarebytes, Jérôme Segura gives details of some tricks currently used by tech support scammers to deceive Chrome users.
Tech support scams and Google Chrome tricks
Commentary from Help Net Security: Google Chrome users targeted by tech support scammers
ESET Senior Research Fellow
An article by me for ESET, sparked off by a conversation with Kevin Townsend, in the wake of research commissioned by Malwarebytes, on the pros and cons of paying to get your data back after a ransomware attack.
ESET Senior Research Fellow
John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.
I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.
Worth looking out for (the article and the malware).
[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:
Malwarebytes describes getting the jump on a group apparently responsible for impersonating legitimate security companies. Well, that sort of impersonation is pretty standard for tech support scammers, but in this case Malwarebytes is talking about ‘a fraudulent page which the crooks built by stealing the graphics from the Malwarebytes website and altering it to trick people into calling a toll-free number.’
And not only Malwarebytes. The article includes some screenshots of fake sites impersonating Microsoft, AVG, Kaspersky, ESET and so on.
Here’s the Malwarebytes article: The hunt for tech support scammers. Commentary by SC Magazine: Scammers impersonate legit cyber-security companies
Added to tech support resources page.
Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.
Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that files are encrypted offline and C&C infrastructure is not used for payment.
The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM
Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous
Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.