Monthly Archives: March 2016

I do not like that SamSam-I-am ransomware

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

David Harley

Petya Ransomware: information sources

I’m in the middle of moving house and not able to comment at length, but here are some sources for commentary on the Petya ransomware, which, as Bleeping Computer puts it, skips the files and encrypts your hard disk instead. Note that repairing the Master Boot Record doesn’t recover your data.

Darren Pauli for the Register: Ransomware now using disk-level encryption – German firms fleeced by ‘Petya’ nastyware that performs fake CHKDSK . Cites discussion on forums.

David Bisson for Graham Cluley’s blog: Petya ransomware goes for broke and encrypts hard drive Master File Tables – Chances are you’ll notice you’ve got a problem when the red skull appears during boot-up… He cites Jasen Sumalapao, writing for Trend Micro.

David Harley 


Recovering from (and preventing) Ransomware

Graham Cluley reports for Hot for Security that Only 38% of businesses believe they will recover from a ransomware attack. He cites a study by Tripwire – Survey: 62% of Companies Lack Confidence in Ability to Confront Ransomware Threat – based on the responses of security professionals at RSA 2016.

Interestingly, Tripwire also ran a Twitter poll asking ‘What is the most important step users can take to prevent ransomware infections?’

The options and responses were:

  • 47% said ‘Don’t click suspect links’
  • 37% said ‘Back up your data often’
  • 11% said ‘Install software patches’
  • 5% said ‘Use an AV solution’

I won’t complain about the low ranking of AV here: after all, no-one is suggesting, presumably, that all those options are mutually exclusive, and in fact they’re all steps people should be taking. But I can’t help wondering who these people are who click on a link even though it’s suspicious. Isn’t the point that so many people have such an unformed view of what ‘suspicious’ really means?

David Harley

Macro malware countered by Group Policy

Macro malware has been back with us for some time, now, and ransomware such as Locky has been taking advantage of that vector.

Microsoft has taken a significant step towards addressing the issue in the enterprise by restricting access to macros via Group Policy. Its blog article New feature in Office 2016 can block macros and help prevent infection doesn’t talk about ransomware directly, but of course it will help against other types of macro-exploiting malware too.

John Leyden’s article for The Register – Microsoft beefs up defences against Office macros menace – also refers, as does  this Sophos commentary.

David Harley

Tech Support Scam that Spoofs ISPs

Jérôme Segura has blogged for Malwarebytes about a somewhat innovative tech support scam campaign: Scammers Impersonate ISPs in New Tech Support Campaign.

The scam is pushed by malvertising which

‘detects which Internet Service Provider (ISP) you are using (based on your IP address) and displays a legitimate looking page that urges you to call for immediate assistance.’

Added to the tech support scam resource page.

David Harley

EDA2-derived ‘Surprise’ Ransomware

David Bisson describes Ransomware Propagation Tied to TeamViewer Account (UPDATED) for Tripwire. Here’s a thread on Bleeping Computer that seems to have been sparked by an early victim. Lawrence Abrams states that the malware is based on the much-abused EDA2 PoC. Analysis of all the reported cases seems to have pointed to the presence of TeamViewer on all affected systems and the implication of a specific TeamViewer account in a number of cases. Axel Schmidt, PR Manager at Teamviewer, is quoted as saying:

…none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.

David Harley

Pre-KeRanger Mac Ransomware

While working on an internal project at ESET, I came across an article I wrote for Information Security Magazine back in 2013: Mac Ransomware Deviating from the (java)script.

With the recent kerfuffle about KeRanger, it’s interesting to recall one of its (rare) precursors on the OS X platform. In this case, there wasn’t actually a malicious executable as such, and the whole system wasn’t really locked, even though a pop-up told the victim that his or her browser was locked and that ‘ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.’ However, the pop-up did make it very difficult to quit Safari, which was probably scarier than it sounds for the victims.

The story was based on an article by Jérôme Segura for Malwarebytes. Irritatingly, there doesn’t seem to be a link in my article, but this looks like Jérôme‘s article: FBI Ransomware Now Targeting Apple’s Mac OS X Users

The present article was also published on Mac Virus.

David Harley

Ducklin and Mustaca on Locky

Sorin Mustaca remarks that he’s sick and tired of seeing so many people affected by the current wave of ransomware attacks. He’s not alone there…

His article About ransomware, Google malvertising and Fraud is worth reading for the description of how Locky spam may try to convince you to enable macros “if the data encoding is incorrect.”

If you need more information, though, Paul Ducklin’s article for Sophos is characteristically informative and insightful: “Locky” ransomware – what you need to know

David Harley

Nemucod’s Fishy Ransomware Claims

Roland Dela Paz describes for Fortinet how Nemucod, much spammed malware already well-known for downloading malware including (recently) Teslacrypt, now has the ability to drop ransomware directly (i.e. from its own body) including the ransom note and a batch file to initiate the encryption.

Nemucod Adds Ransomware Routine

The good news is that the ransomware isn’t as effective as the ransom note tries to persuade the victims: not yet, anyway. It’s not the case that ‘Nobody can help you but us.’ That doesn’t mean this will always be the case, though.

Dela Paz notes some resemblance between this ransomware and KeyBTC but notes that it can’t be confirmed at present that there is a direct relationship.

David Harley