Interesting analysis from Pieter Arntz for Malwarebytes of the VinCE screen locker, intended to persuade the victim into calling the ‘helpline’ number the malware displays. An example of malware that illustrates an almost imperceptible distinction between a tech support scam and true ransomware.
A closer look at a tech support screen locker
This AVIEN article also added to Tech Support Scams and Ransomware, to Specific Ransomware Families and Types, and to PC ‘Tech Support’ Scam Resources. The latter has now been renamed by dropping the reference to cold-calls, as cold-calling is no longer the only (or, arguably, the most effective) means of implementing tech support scams.
Further to the discussion as to whether people or organizations should pay up when hit by ransomware…
- The hardline security maven view is usually that they shouldn’t because it encourages the proliferation of ransomware attacks.
- A softer view (more or less mine) is that you can’t blame people – especially individuals – for not sacrificing their treasured photos, documents etc for a principle. But we hear of organizations assuming that it’s cheaper to pay the ransom than it is to protect data properly. If so, not only are they adding to the problem, but they’re making an unsafe assumption. That is, that paying the ransom will get their data back.
Sometimes, we’re told that ransomware operators will ‘return’ the data because not to do so may damage their ‘business model.’ And there’s something in that. However, the operators don’t always return the data. Sometimes they just can’t, through some technical issue or incompetence. Sometimes they just don’t bother.
Judging from a survey report from Kaspersky, it seems the number of times that payment doesn’t result in the release of the data may be higher than we think. The report states that:
17% of people online have faced a ransomware threat, with 6% becoming infected as a result. One– in–five users that pay a ransom don’t get their files back
According to the Anti-Phishing Working Group’s report for the second quarter of 2016, phishing attacks (as measured by the number of phish sites) reached an all-time high in that period (61% higher than the previous recorded high in 2015 Q4). It also cites PandaLabs as reporting detection of 18 million ransomware programs over that period, amounting to more than 200,000 per day.
Phishing Activity Trends Report 2nd Quarter 2016
[Also published on the Mac Virus blog, which also addresses smartphone security issues]
Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements. He observes:
This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.
In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.
Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.
The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend
Somewhat-related recent articles from ESET:
Other blogs are available. 🙂
Not ransomware, but related in that it clearly involves extortion/blackmail: the FBI has issued an alert about Extortion E-Mail Schemes Tied To Recent High-Profile Data Breaches. The threatening messages arrive in the wake of a flood of revelations of high-profile data thefts. The ready availability of stolen credentials is used by crooks to convince victims that they have information that will be released to friends ‘and family members (and perhaps even your employers too)’ unless a payment of 2-5 bitcoins is received.
The generic nature of some of the messages quoted by the FBI doesn’t suggest that the scammer has any real knowledge of the targets or of information that relates to them.
‘If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then…’
This sounds more like mass mailouts in the hope that some will reach a target sufficiently guilt-ridden to pay up just in case. Other messages may well frighten some people, fearful of being ‘doxed’, into paying up in case their personally-identifiable information falls into the wrong hands.
Here’s another instance where ransomware and tech support scams overlap. Jérôme Segura, for Malwarebytes, describes how scammers have moved on from ‘bogus browser locks and fake AV alerts‘ to real screen lockers. In particular, he describes an example of malware shared by @TheWack0lian that passes itself off as a Windows update. However, during the ‘update’ it effectively locks the computer, ostensibly due to an ‘invalid licence key’, forcing the victim to call a ‘support line’.
The article – Tech Support Scammers Get Serious With Screen Lockers – includes a keyboard combination that might disable the locker, and some hardcoded ‘key’ values that might also work. However, it’s likely that there are already variants out there that use different ‘keys’, and if there aren’t, there almost certainly will be.
Commentary by David Bisson for Graham Cluley’s blog is also worth reading: New tech support scams mimic ransomware, lock users’ computers –Beware if you’re asked to pay $250 for a product key to unlock your PC.
Roland Dela Paz describes for Fortinet how Nemucod, much spammed malware already well-known for downloading malware including (recently) Teslacrypt, now has the ability to drop ransomware directly (i.e. from its own body) including the ransom note and a batch file to initiate the encryption.
Nemucod Adds Ransomware Routine
The good news is that the ransomware isn’t as effective as the ransom note tries to persuade the victims: not yet, anyway. It’s not the case that ‘Nobody can help you but us.’ That doesn’t mean this will always be the case, though.
Dela Paz notes some resemblance between this ransomware and KeyBTC but notes that it can’t be confirmed at present that there is a direct relationship.
While I’ve been tracking ransomware and (D)DoS issues for a while – well, for most of my career in security, to be strictly accurate – I’ve paid less attention to blackmail, though I guess it’s related in so far as it is another form of extortion. I hadn’t particularly noticed the stories about blackmail attempts against users of the Ashley Madison extra-marital dating site, but it seems to be developing in interesting ways, as discussed in a post by Graham Cluley: Now it’s Ashley Madison wives who are receiving blackmail letters.
If nothing else, it’s an interesting reflection on how old-school crime is attempting to adapt to the online world, albeit with variable success. But perhaps the most striking aspect of this particular story is the way in which the extortionist seems happy (in a desperate sort of way) to compound the misery of the spouses who are presumably the original victims of extra-marital footsie. No spurious claims to the moral high ground here, then.
I think I may feel a paper coming on.
A Netskope report on Cloud issues notes cases where, when a victim’s cloud-hosted files are encrypted, cloud service users synching to the same folder found their files being encrypted too, even though they weren’t themselves directly compromised by the ransomware. While Netskope’s Jamie Barnett told SC Magazine that “It was a blinding flash of the obvious for us,” it’s obviously a finding that more Cloud users need to take into account.
I’ve already pointed out that
…if your data is backed up somewhere that’s ‘always on’ while you’re using your computer, there’s a risk that ransomware (or other malicious software) might be able to encrypt, delete or corrupt your backed-up data too.
However, it’s important to realize that if you share storage with others, their susceptibility to ransomware may become your problem too.
Resources page updated.
For Malwarebytes, Jérôme Segura reports on another incident where a support scam is combined with other malicious action – Comcast Customers Targeted In Elaborate Malvertising Attack. In this case, malvertising planted on Comcast’s Xfinity search page leads to an attempt to install malware via the Nuclear exploit kit. Malwarebytes weren’t able to collect the malware payload on this occasion, but think it likely to be Cryptowall or another type of ransomware. Subsequently, another site purporting to be the Xfinity portal may serve a fake alert along the lines of:
Comcast’s security plugin has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location. Call Toll Free 1-866-319-7176 for technical assistance
Also reported by Help Net Security.
Adding to both the Tech Support Scam and Ransomware resource pages