Monthly Archives: April 2016

Ransomware: the gift cards that keep on giving

While Bitcoin (and its competitors/peers, potentially, I suppose) have obvious advantages for the extortionist, we’ve seen a curious shift towards other forms of ransom payment recently. I described in Music-Loving Android.Locker Ransomware malware that demands payment in iTunes gift cards, while Lawrence Abrams for Bleeping Computer reports on something called TrueCrypter that demands payment either as 0.2 bitcoins or as $115 in Amazon gift cards: TrueCrypter Ransomware accepts payment in Bitcoins or Amazon Gift Card.

He also mentions an unnamed Android screen locker that also demands Amazon gift cards. He observes:

This is an odd choice of a ransom payment as the Amazon Gift Card funds can easily be tracked by Amazon.  This, and the fact that the payment confirmation system is broken, makes me believe that this program was made by an amateur rather than a seasoned malware developer.

He has a point, but I’m told there are forums where gift cards might be ‘laundered’ before they turn up in the virtual economy. Still, TrueCrypter looks very amateur for other reasons, too. Just clicking on the ‘Pay’ button decrypts your files. I suspect that won’t always be the case, though.

David Harley

DaaS-tardly Doxing

Here’s a slightly different twist on extortion that doesn’t involve ransomware. Steve Ragan describes for CSO Salted Hash how a Website offers Doxing-as-a-Service and customized extortion. The subtitle explains the business model:

Those posting Dox will get a commission, or they can pay to have someone’s personal details exposed

The amount of commission depends on the type of Doxing. In ascending order of payment:

  • Miscellaneous
  • Revenge
  • Paedophiles [the American spelling is used by the site: Cymmetria’s Nitsan Saddan is quoted as believing that it’s likely that ‘these are American players.’]
  • Law enforcement
  • Famous

The DaaS-tardly doxing service is priced according to the type of information collected, from the barest details to a complete profile. Ragan observes that the service doesn’t seem to be collecting customers – at any rate:

…the Bitcoin wallet used to process payments for this service has received no transactions.

And he has seen little traction on the site since he’s been monitoring it. Nevertheless, he predicts that this kind of activity will become more common.

David Harley

Never Pay the Ransom – Good Advice?

Virus Bulletin doesn’t think so, according to the article Paying a malware ransom is bad, but telling people to never do it is unhelpful advice.

While the article certainly isn’t encouraging victims to pay up in general, and acknowledges that if (almost) all victims declined to pay up the criminals would be discouraged, it points out that:

sometimes, none of this helps and the only sensible business decision left is to pay the criminals, much as it is bad and much as there is never a 100% guarantee that this will work.

And I have to agree with that. As previously observed on this site:

Security bloggers almost invariably advise you not to pay the ransom. Easy to say, when it’s not your own data that’s at stake…

On the other hand:

…an ounce of prevention (and backup) is worth a ton of Bitcoins, and doesn’t encourage the criminals to keep working on their unpleasant technologies and approaches to social engineering.

Still, I agree that it doesn’t help to censure people or organizations who choose to pay up when there is no other option for (hopefully) retrieving their data.

David Harley

Music-Loving Android.Locker Ransomware

Help Net flagged an interesting instance of an exploit kit delivering Android.Locker ransomware to Android users – Exploit kit targets Android devices, delivers ransomware.

Bluecoat researchers happened across the ransomware – Towelroot and Leaked Hacking Team Exploits Used to Deliver “Dogspectus” Ransomware to Android Devices – when

…a test Android device in a lab environment was hit with the ransomware when an advertisement containing hostile Javascript loaded from a Web page.

Like some older ransomware, the self-labelled Cyber.Police doesn’t encrypt files: it simply locks the device, and demands that the victims pay a $200 fine in the form of two $100 iTunes gift cards. Bizarre, considering that the malware claims to represent an ‘American national security agency’ in true ‘FBI/Police virus’ fashion, though it’s hard to imagine that any of its victims believe it to be official. (However, there are plenty of places you can resell or exchange gift cards for something other than music.) Bluecoat calls it Dogspectus (presumably connected with the malware’s internal name net.prospectus?) but other companies name it as a variant of the Android.Locker family.

While VirusTotal isn’t really intended or usable as a cast-iron way to track the security industry’s response to a threat, it may be worth noting that while quite a few companies detect the .apk, detection for the Towelroot exploit executable is much sparser.

Further commentary:

David Harley

Ransomware Roundup – 19th April 2016

Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.

An article by Emily Sweeney for the Boston Globe 5 things to know about ransomware is essentially a personal recollection of being a victim coupled with some basic advice, but it’s not bad advice. Except that the point I’d always stress about backups is the need to ensure that they’re not so easily accessible that reasonably advanced ransomware will be able to encrypt the backed-up material at the same time. And don’t access your offline backups until you’re sure the malware has been eradicated.

Meanwhile, a Spiceworks post describes a couple of very bad days for a sysadmin of which a Cryptowall attack was just a part. A salutary reminder that disasters aren’t always considerate enough to happen one at a time, and that it’s always worth over-engineering a corporate backup strategy.

Sean Gallagher (or at any rate an editor looking for an eye-catching headline) for Ars Technica tells us OK, panic—newly evolved ransomware is bad news for everyone – Crypto-ransomware has turned every network intrusion into a potential payday. I don’t think panic is the best response to the ransomware problem, but there’s certainly an argument for informed concern, and the article does describe some aspects that we should indeed be concerned about and take steps to address.

And for the Register, Iain Thompson summarizes the issues around SamSam’s migration from hospitals to schools and the should-have-been-patched-long-ago JBoss vulnerability that Talos has flagged previously.

David Harley

JBoss Backdoors

Alexander Chiu for Talos looks hard at the JBoss vulnerability: WIDESPREAD JBOSS BACKDOORS A MAJOR THREAT.

Chui observes:

We found just over 2,100 backdoors installed across nearly 1600 ip addresses.

He notes that several compromised systems have the Follett “Destiny” Library Management System software installed, and includes Indicators of Compromise and Snort rules.

US-CERT has issued an advisory.

David Harley

Ransomware and Encryption

A few times I’ve seen it suggested that encryption of valuable data before ransomware strikes will somehow protect it against ransomware. Today I came across the same assertion again on Spiceworks, apparently suggested to a Spiceworks subscriber by a lecturer. Not a lecturer in IT security, I hope…

I guess whether there’s any truth in the assertion depends on what you understand by encryption.

  • If files can be modified they can be encrypted: ransomware doesn’t check to see if a file is encrypted and throw its hands up in despair if it is, it simply adds another layer of encryption.
  • If the media on which the files reside can’t be accessed without a password then presumably the files themselves can’t be modified while the media are inaccessible.
  • However, if the media are accessible and write-enabled because the files are in use, the chances are that ransomware will be able to encrypt the files, irrespective of whether they are already somehow encrypted by the legitimate owner or user of the aforementioned files.

Much the same considerations apply to  backups, of course. If the backup media are accessible while the ransomware delivers its unpleasant payload, there’s a ‘good’ chance that the backed up files will also be encrypted.

[Updated later:

This article – Mac OS X ransomware: How KeRanger is a shadow of malware to come – The design of KeRanger demonstrates how attackers plan to make it even harder for victims of ransomware not to pay up – includes an interesting if confusing/confused comment from Timothy Wallach of the FBI:

“The best prevention for ransomware is to have thorough backups that are off the network, as well as encrypting your own data. That way if the bad guys encrypt it with their ransomware you still have it…”

It would be interesting to know if that’s exactly what Wallach said, since I’d rather like to know what he meant by ‘encrypting your own data’.]

David Harley

Identifying 52 shades of ransomware

There is no simple or universal answer to a ransomware attack (apart from taking all possible precautions in advance, and there are no guarantees even then). However, the site ID Ransomware does seem to offer a way for victims to (maybe) identify the ransomware that has attacked their system. (I haven’t tested it myself.)

As I understand it, the site works like this:

  • It allows a victim to upload a file displaying ransom/payment information or one of the encrypted files, and attempts to use the uploaded file to identify the malware that implemented the attack. It currently claims to detect 52 varieties of ransomware.
  • If there is a known way of decrypting the encrypted files without paying the ransom, it directs the victim towards it.

The site doesn’t offer to decrypt files directly itself, and doesn’t want samples of the actual malware.

Hat tip to  of Help Net Security, where I first saw the site announced.

David Harley

UK threat prevalence – Symantec

John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures for threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.

Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.

Ordinarily, I’d check out the report directly, but it requires registration, and I don’t really want to be bombarded with ‘commercial information‘ from a competitor, so I have to be really interested before I go that far. If that doesn’t bother you, though, you can get the report via this page.

The Register also cites the report’s finding that 430 million new  malware variants were discovered in 2015. I agree with Leyden that the figure is pretty meaningless, though for a slightly different reason: not because of the sheer volume of variants, but because you can’t tell from this summary what Symantec is defining as a ‘variant’.

David Harley