SyncCrypt: Getting the Ransomware Picture?

Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.

The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’

VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.

There’s no free decryption for affected data at this time.

IOCs, filenames etc. are appended to the Bleeping Computer analysis.

David Harley

 

Cerber now kind to canaries

Cybereason: Researchers at Cybereason have discovered a new strain of the Cerber ransomware that implements a new feature to avoid triggering canary files.

Apparently this strain of Cerber assumes that any malformed image file is a ‘canary’ file (a variation on the old idea of a goat file) and avoids encrypting it or any other file in the directory in which it’s found.

A goat file can be used to facilitate detection and/or analysis of a virus when it has been infected, by analogy with a ‘sacrificial goat’.

A canary file is intended to act like ‘a canary in a coal mine’, giving early warning of an attempt by ransomware to encrypt files, by analogy with a canary dropping unconscious or dead at the first hint of dangerous gases such as carbon monoxide.

Since it’s rather easy to generate a ‘malformed image file’, it’s been suggested that people do so to help protect folders containing valuable files. I suspect, however, that the Cerber gang (and other malefactors) have already twigged that one, so I certainly wouldn’t rely on such a strategy.

David Harley

Ransomware targeting WordPress sites

WordFence, which offers a security plugin for WordPress sites, reports on Ransomware Targeting WordPress – An Emerging Threat, claiming to have ‘captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.’

I hope the company won’t mind my quoting this important paragraph:

If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.

Commentary by HelpNet Security here: EV ransomware is targeting WordPress sites

David Harley

 

Talk Talk fined for support scam issue

The Register: TalkTalk fined £100k for exposing personal sensitive info – 21,000 accounts handled by Indian outsourcing biz exposed

‘…TalkTalk found an issue with the UK ISP’s portal … One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf … three Wipro accounts … had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.’

See also TalkTalk confesses: Scammers have data about our engineers’ visits to your home Info exploited, say customers

Added to tech support resources page, of course.

David Harley

Social Engineering and Ransomware

SecurityWeek contributor Kevin Townsend asked me about a report from the UK’s De Montfort University on the psychology of ransomware splash screens. Here’s the article he published – Researcher Analyzes Psychology of Ransomware Splash Screens – and here are some further thoughts from me published on the ESET blog: Social engineering and ransomware.

David Harley

Reyptson Ransomware

Lawrence Abrams for Bleeping Computer: Reyptson Ransomware Spams Your Friends by Stealing Thunderbird Contacts. He says:

‘…unfortunately there is no way to decrypt this ransomware currently for free. We have, though, setup a dedicated Reyptson Support & Help Topic for those who wish to discuss it or ask questions.’

Announcement by EMSIsoft’s @PolarToffee.

Notes from @malwrhunterteam

David Harley

Technology versus phone scammers

Not directly concerned with tech support scams, which have tended to be my main scam focus on this site, but David Bisson put up a very useful post – Google and Apple should do more to fight phone scammers, says researcher: Cooperation with government is key, but it’s only part of the solution… – expanding on a slightly naive article by David Glance for The Conversation – Phone scams cost billions. Why isn’t technology being used to stop them?.

David Bisson points out that:

At the end of the day, caller ID spoofing makes it next to impossible to consistently block phone scammers. As a result, users should focus on strengthening their mobile device security by exercising caution around text messages and phone calls delivered from unknown numbers. They should never click on links embedded in text messages sent from suspicious numbers. Also, they could always let an unknown phone call go to voice mail and use that subsequent record to evaluate the number’s legitimacy.

With reference to one of the scam types referenced there, I wrote about the ‘Can you hear me?’ scam, if that’s what it really is, for ESET: Scam calls: can you hear me, mother?

David Harley

AV-Test Report: malware/threat statistics

AV-Test offers an interesting aggregation of 2016/2017 malware statistics in its Security Report here. Its observations on ransomware may be of particular interest to readers of this blog (how are you both?) The reports points out that:

There is no indication based on proliferation statistics that 2016 was also the “year of ransomware“. Comprising not even 1% of the overall share of malware for Windows, the blackmail Trojans appear to be more of a marginal phenomenon.

But as John Leyden remarks for The Register:

The mode of action and damage created by file-encrypting trojans makes them a much greater threat than implied by a consideration of the numbers…

Looking at the growth in malware for specific platforms, AV-Test notes a decrease in numbers for malware attacking Windows users. (Security vendors needn’t worry: there’s still plenty to go round…)

On the other hand, the report says of macOS malware that ‘With an increase rate of over 370% compared to the previous year, it is no exaggeration to speak of explosive growth.’ Of Android, it says that ‘the number of new threats … has doubled compared to the previous year.’

Of course, there’s much more in this 24-page report. To give you some idea of what, here’s the ToC:

  • The AV-TEST Security Report 2
  • WINDOWS Security Status 5
  • macOS Security Status 10
  • ANDROID Security Status 13
  • INTERNET THREATS Security Status 16
  • IoT Security Status 19
  • Test Statistics 22

David Harley

Windows 10 Controlled folder access

Microsoft describes the new Windows 10 feature ‘Controlled folder access in Windows Defender Antivirus’ in the article Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile. The article specifically mentions ransomware as one of the threats against which it is likely to be effective.

The article states that ‘Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.’

It’s not clear what criteria are used to blacklist an application: as I read it, it may simply use Windows Defender’s scanning engine to determine the status of an app. I guess I’ll wait for more information before deciding how much additional protection this really provides.

Zeljka Zorz comments for Help Net Security :

Whether this security feature will be enough to stop ransomware remains to be seen, especially if ransomware can get a whitelisted application to bypass the protection and offer a way in.

I wasn’t really thinking of this in terms of whitelisting until I read that, but the feature does, in fact, allow the user to add protected locations apart from the default folders, and also to ‘ Allow an app through Controlled folder access’.  Which opens the door to social engineering as well as subversion of apps, but then that’s a persistent issue with whitelisting applications.

David Harley

The Mechanisms of Support Scamming

Dial One for Scam: A Large-Scale Analysis of Technical Support Scams is an academic paper, but interesting*. While it doesn’t tell seasoned scam watchers much we weren’t already aware of, it does take a systematic look at how the scheme is implemented, and hopefully that will be useful to someone in a better position to pursue more fundamental approaches than the occasional analyses from the anti-malware industry that this paper dismisses as ‘ad hoc’.

Sid Kirchheimer’s article from April 2017 for AARP – From Pop-Up Warnings to $9 Million Payout: Inside the Tech Support Scam – includes an easily-digestible summary of some of the main points of the paper.

Hat tip to Mich Kabay for bringing the article to my attention, and to Fat Security for flagging the paper for me some time ago.

David Harley

*However, it’s irritating to see in section VII a paper of which I was co-author apparently credited to Malwarebytes. Reference [5] is to this paper for a Virus Bulletin conference – My PC has 32,539 Errors: how Telephone Support Scams really Work – and I appreciate having our work referenced.

Nevertheless, although Steve Burn, one of the authors, was indeed working for Malwarebytes, I was working for ESET, Martijn Grooten was working for Virus Bulletin, and Craig Johnston was an independent researcher. It is, of course, perfectly true that Malwarebytes researchers have done much useful research in this are.