For Sophos, Mark Stockley describes how scammers are using RDP, a tool intended to cut down network and system administration costs for companies by allowing sysadmins and help-desk operators to access their customers’ systems remotely, to give them almost unlimited potential to reconfigure apps and services, making installing and executing ransomware a breeze.
Ransomware-spreading hackers sneak in through RDP
The second part of a two-part report by Intermedia deals specifically with ransomware and includes a link to a video which I’m afraid I haven’t watched. There are also some interesting statistics. When a ransom gets paid, who pays it? According to Intermedia, 59% of employees have paid personally, and only 37% of those surveyed said that their employer had paid. (Which may say something sad about employee attitudes and unpleasant about employer attitudes.) Yet the company has previously reported that 19% of companies didn’t get their data back. (In sharp contrast to claims that ransomware gangs usually recover data because that’s their business model.) I’d guess that with the increase in wiper activity in recent months, the 2017 figures for unrecovered data could be appreciably here. (Are wipers ransomware? Well, that depends on individual cases, but they do often present themselves as if they are.)
ESET reports that “ESET researchers have spotted the first-ever ransomware misusing Android accessibility services. On top of encrypting data, it also locks the device.”
DoubleLocker: Innovative Android Ransomware
…from my old (in the nicest way possible) mate Roger Thompson. I haven’t been following the blog closely so far, but Roger has lots of hands-on experience in the industry (far more than I do): I don’t doubt that he knows what he’s about…
Thompson Cyber Security Labs
Bill Brenner for Sophos: What’s at risk from nRansom? Your memories of Thomas the Tank Engine.
A hoax (or possibly a test) then, rather than real ransomware. But not terribly well executed.
From Motherboard: This Ransomware Demands Nudes Instead of Bitcoin. To be precise, at least ten nude photographs of the victim. Real ransomware or an unpleasant prank: well, quite a few AV engines detect it as malware, according to VirusTotal. More info if and as I receive it.
Bleeping Computer: New Nuclear BTCWare Ransomware Released (Updated)
Lawrence Abrams notes: “Michael Gillespie discovered that the developers of this variant messed up on the encryption of files greater than 10MB in file size and will not be able to decrypt them. It was also discovered that this same behavior was seen with other files of random sizes. Therefore, it is advised that you do not pay the ransom as there is a good chance many of your files not be able to be decrypted.”
Andra Zaharia, security evangelist at Heimdal, has published a very useful and exhaustive checklist for reducing your exposure to ransomware: The Anti-Ransomware Protection Plan You Need to Follow Today.
I get tired of reading ‘how to defend against ransomware’ articles that miss out vital points like not staying permanently connected to in-the-cloud storage, but this one really does cover most of the angles. Very nice.
Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.
The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’
VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.
There’s no free decryption for affected data at this time.
IOCs, filenames etc. are appended to the Bleeping Computer analysis.