Paul Ducklin for Sophos: Watch out – fake support scams are alive and well this Christmas
The first part of the article is a recap of old-school tech support scam cold-calling, but the rest describes what happened when someone clicked on ‘one of those “you’ll never believe what happened next” stories’. The resulting ‘alert’ included an automatic voice-over. While the voice-over (which you can hear on the page above) is full of laughable transcription errors and false information, it could certainly scare someone not particularly tech-literate into falling for the scam.
Bill Brenner for Sophos: What’s at risk from nRansom? Your memories of Thomas the Tank Engine.
A hoax (or possibly a test) then, rather than real ransomware. But not terribly well executed.
And still it goes on…
Tech support scammers poisoning Google search results is hardly new – see My PC has 32,539 errors: how telephone support scams really work – but there’s an interesting example flagged by Malwarebytes in the article Ads in Google Search Results Redirect Users to Tech Support Scam by Catalin Cimpanu. Also some useful commentary by Lisa Vaas for Sophos: Google ads for tech support scams – would you spot one?
A couple of items of general interest regarding ransomware:
I’ve commented a couple of times recently on the question of Ransomware: To pay or not to pay? and The economics of ransomware recovery.
Unusually, Microsoft has provided a patch for systems that are no longer supported, but are vulnerable to the Microsoft Security Bulletin MS17-010 flaw exploited by WannaCryptor (a.k.a. WannaCrypt among other names). These include Windows XP, Windows 8, and Windows Server 2003. A patch for later operating systems (i.e. those versions of Windows still supported) was made available in March 2017.
If you didn’t take advantage of the patch for Windows 8.1 and later at the time, now would be a good time to do so. (A couple of days earlier would have been even better.)
If you’re running one of the unsupported Windows versions mentioned above (and yes, I appreciate that some people have to), I strongly recommend that you either upgrade or take advantage of the new patch.
Microsoft’s announcement is here: Customer Guidance for WannaCrypt attacks, with links to the update and further information. Detection of the threat has also been added to Windows Defender.
Kudos to Microsoft for going the extra mile…
Additional analysis and/or commentary by ESET – Huge ransomware outbreak disrupts IT systems worldwide, WannaCryptor to blame, Malwarebytes – The worm that spreads WanaCrypt0r, and Sophos: Wanna Decrypter 2.0 ransomware attack: what you need to know. Among other vendors, of course. [Added subsequently: Symantec – What you need to know about the WannaCry Ransomware]
Lisa Vaas: Ransomware attackers shift focus and resources to high-value sectors
Quotes a PhishLabs paper – 2017 Phishing Trends & Intelligence Report – that requires filling a form in if you want to read it.
Paul Ducklin describes in some detail the rising tide of ransomware arriving by email attachment in the form of a .LNK file, and how this bit of trickery works: Beware of ransomware hiding in shortcuts. It’s by no means a new approach to distributing malware, but evidently still successful, not least because ‘LNK files don’t follow the View file name extensions setting in File Explorer, and … they can show up with an icon that is at odds with their real behaviour…’
Fortunately, Paul includes a series of useful tips that mitigate your exposure to this particular malicious behaviour although it doesn’t block it completely. Including this one:
- “Never open LNK files that arrive by email. We can’t think of any situation in which you would need, or even want, to use a LNK file that came via email. The name and icon will probably be misleading, so keep your eyes peeled for the tiny arrow that Windows shows at the bottom left of the icon.”
As true now as it was years ago…
Sorin Mustaca remarks that he’s sick and tired of seeing so many people affected by the current wave of ransomware attacks. He’s not alone there…
His article About ransomware, Google malvertising and Fraud is worth reading for the description of how Locky spam may try to convince you to enable macros “if the data encoding is incorrect.”
If you need more information, though, Paul Ducklin’s article for Sophos is characteristically informative and insightful: “Locky” ransomware – what you need to know
These days, I don’t think you can have too many articles about what to do when you’re hit with ransomware, especially articles written by someone as knowledgeable as Paul Ducklin.
Got ransomware? What are your options?
He includes sections on:
- Shortcuts to recovery
- Longcuts to recovery
- Cracking the encryption
And those cover most of the recovery options, which is what most people will probably want to know. Unfortunately, those options aren’t always there, hence the downbeat tone of the ‘What to do’ section:
What we are saying is that if you really need your files back, and you haven’t taken any precautions such as backing up, then you don’t really have any choice but to pay.
We’d rather you didn’t pay up, but if you do, we understand and respect your choice. (It’s easy to be high and mighty when it’s not your data on the line!)
I’m afraid I’m totally in agreement with that. However, he does follow up with a list of ‘useful ransomware precautions’, and we can never make too many of those recommendations either. This is certainly a case where prevention is a much better option than cure. In brief, his recommendations include, if I can summarize:
- Good backup strategy
- Disable macros
- Consider viewer apps
- Distrust attachments
- Don’t routine run with admin privileges
- ‘Patch early, patch often’
Added to the ransomware resources page: link to an article for Sophos by Paul Ducklin on Ransomware evolution: Another brick in the CryptoWall. As you’d expect, good info on Cryptowall specifically, but also links to info on other ransomware. But also a link to a paper well worth your consideration on how ransomware evolved from 2014 to 2015.