For once, an article about Hitler that doesn’t invoke Godwin’s law…
The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.
I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.
At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’
It’s not clear right now whether this is another aspect of the story noted by Security Week about Vulnerabilities Exposed Trane Thermostats to Remote Hacking, based on research by Jeff Kitson for Trustwave. But it sounds very similar.
Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:
CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data
A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:
Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted
Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.
Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:
Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.
The Talos blog: When Paying Out Doesn’t Pay Off.
Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.
John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.
I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.
Worth looking out for (the article and the malware).
[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:
John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures for threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.
Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.
Ordinarily, I’d check out the report directly, but it requires registration, and I don’t really want to be bombarded with ‘commercial information‘ from a competitor, so I have to be really interested before I go that far. If that doesn’t bother you, though, you can get the report via this page.
The Register also cites the report’s finding that 430 million new malware variants were discovered in 2015. I agree with Leyden that the figure is pretty meaningless, though for a slightly different reason: not because of the sheer volume of variants, but because you can’t tell from this summary what Symantec is defining as a ‘variant’.
Macro malware has been back with us for some time, now, and ransomware such as Locky has been taking advantage of that vector.
Microsoft has taken a significant step towards addressing the issue in the enterprise by restricting access to macros via Group Policy. Its blog article New feature in Office 2016 can block macros and help prevent infection doesn’t talk about ransomware directly, but of course it will help against other types of macro-exploiting malware too.
John Leyden’s article for The Register – Microsoft beefs up defences against Office macros menace – also refers, as does this Sophos commentary.
According to a blog article from Bitdefender, KeRanger ‘looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016.’ Commentary from John Leyden for The Register: First Mac OS X ransomware actually a rewrite of Linux file scrambler – Gatekeeper nutmegged using dodgy cert. Also commented on Mac Virus: KeRanger and Linux.Encoder
An article from March 8th 2016 by Tim Ring for SC Magazine – Locky ransomware ‘on the rampage’ globally – is focused on Locky but also collates commentary from sources such as Fortinet and McAfee about how it relates to other major families, notably CryptoWall and TeslaCrypt.
Kat Hall reports for The Register on an attack against North Dorset Council apparently involving 6,000 files compromised by ransomware. The council refused to pay the ransom and are quoted as saying:
“The ‘ransomware’ attack was quickly detected by our security systems and action was taken to minimise the impact on our systems. No customer data was compromised.”
G-Data’s Eddy Willems is quoted as saying that organizations are being targeted that are less likely to have up-to-date protection and therefore more likely to pay the ransom. ESET’s Mark James didn’t suggest specific targeting, but did observe that public sector organizations are vulnerable because of the sensitivity of the data they hold and the fact that they are likely to be hampered by budget constraints.
Having spent much of my life working for the National Health Service, I’m all too aware of those constraints, and have a great deal of sympathy for executives who have to walk the tightrope between the need for the best affordable security and the need to prioritize direct spending on patient care. Similar concerns apply in other public sector organizations, charities and so on. When it comes to ransomware, however, the risk it poses to client data and wellbeing does call for an effective security strategy that prioritizes data and system backups and data recovery. It sounds as if the Council in this case were properly prepared.