From Motherboard: This Ransomware Demands Nudes Instead of Bitcoin. To be precise, at least ten nude photographs of the victim. Real ransomware or an unpleasant prank: well, quite a few AV engines detect it as malware, according to VirusTotal. More info if and as I receive it.
Bleeping Computer: New Nuclear BTCWare Ransomware Released (Updated)
Lawrence Abrams notes: “Michael Gillespie discovered that the developers of this variant messed up on the encryption of files greater than 10MB in file size and will not be able to decrypt them. It was also discovered that this same behavior was seen with other files of random sizes. Therefore, it is advised that you do not pay the ransom as there is a good chance many of your files not be able to be decrypted.”
Andra Zaharia, security evangelist at Heimdal, has published a very useful and exhaustive checklist for reducing your exposure to ransomware: The Anti-Ransomware Protection Plan You Need to Follow Today.
I get tired of reading ‘how to defend against ransomware’ articles that miss out vital points like not staying permanently connected to in-the-cloud storage, but this one really does cover most of the angles. Very nice.
Well, this isn’t the first time. But a report by Kat Hall for The Register suggests that some of the scammers may have more information about potential victims than they should. Which makes me wonder whether there’s a leak similar to that affecting TalkTalk customers. I’ve certainly been contacted in the past by BT sales people who were clearly not based in the UK.
I don’t know whether there’s been such a leak at BT, of course. However, it’s not unknown for people working in legitimate support to be also implicated in some way in support scamming, whether by leaking data or by working in a call centre that encourages scam calling as well as offering legit support for legit organizations. And it’s hard to police that kind of activity.
That article by Kat Hall: Indian call centre scammers are targeting BT customers – In some cases fraudsters knew their mark’s personal details
…well, there’s no foolproof way of doing that (getting your money back, that is), unfortunately. But Shaun Nichols reports for The Register that FTC ready to give back tech support scamming money to the bilked.
“Those who have been identified as eligible by the FTC will get an email from the commission with a PIN number that can be used to obtain the claim forms. In order to claim a share of the payout, consumers will have to fill out a claim before October 27.”
The article does, very sensibly, point out the risk that scammers will use the FTC’s initiative as a springboard for further scams. Unfortunately, I can’t predict exactly what form such scams will take, but I’d be surprised if they don’t happen…
The Federal Trade Commission’s own press release is here: FTC Announces Refund Process for Victims of Deceptive Tech Support Operation.
Eligible consumers bought tech support products and services between April 2012 and November 2014 from Advanced Tech Support, which also used the name Inbound Call Experts. Consumers will have until October 27, 2017 to submit a request for a refund.
Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.
The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’
VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.
There’s no free decryption for affected data at this time.
IOCs, filenames etc. are appended to the Bleeping Computer analysis.
Cybereason: Researchers at Cybereason have discovered a new strain of the Cerber ransomware that implements a new feature to avoid triggering canary files.
Apparently this strain of Cerber assumes that any malformed image file is a ‘canary’ file (a variation on the old idea of a goat file) and avoids encrypting it or any other file in the directory in which it’s found.
A goat file can be used to facilitate detection and/or analysis of a virus when it has been infected, by analogy with a ‘sacrificial goat’.
A canary file is intended to act like ‘a canary in a coal mine’, giving early warning of an attempt by ransomware to encrypt files, by analogy with a canary dropping unconscious or dead at the first hint of dangerous gases such as carbon monoxide.
Since it’s rather easy to generate a ‘malformed image file’, it’s been suggested that people do so to help protect folders containing valuable files. I suspect, however, that the Cerber gang (and other malefactors) have already twigged that one, so I certainly wouldn’t rely on such a strategy.
WordFence, which offers a security plugin for WordPress sites, reports on Ransomware Targeting WordPress – An Emerging Threat, claiming to have ‘captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.’
I hope the company won’t mind my quoting this important paragraph:
If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.
Commentary by HelpNet Security here: EV ransomware is targeting WordPress sites
The Register: TalkTalk fined £100k for exposing personal sensitive info – 21,000 accounts handled by Indian outsourcing biz exposed
‘…TalkTalk found an issue with the UK ISP’s portal … One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf … three Wipro accounts … had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.’
See also TalkTalk confesses: Scammers have data about our engineers’ visits to your home Info exploited, say customers
Added to tech support resources page, of course.
SecurityWeek contributor Kevin Townsend asked me about a report from the UK’s De Montfort University on the psychology of ransomware splash screens. Here’s the article he published – Researcher Analyzes Psychology of Ransomware Splash Screens – and here are some further thoughts from me published on the ESET blog: Social engineering and ransomware.