It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…)
At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as a proactive measure. One thing that does seem clear is that systems that haven’t been patched against MS2017-010 are vulnerable to the ‘externalblue’ exploit from the ShadowBroker NSA leak unless they have security software that blocks that exploit.
Being in the UK, I’m especially interested in the effect on the NHS, though I’m not in a position to tell you much about it. Here are a couple of links:
Some sources link this with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf. Commentary by EMSISOFT. Commentary by The Register.
For once, an article about Hitler that doesn’t invoke Godwin’s law…
The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.
I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.
At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’
It’s not clear right now whether this is another aspect of the story noted by Security Week about Vulnerabilities Exposed Trane Thermostats to Remote Hacking, based on research by Jeff Kitson for Trustwave. But it sounds very similar.
Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:
CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data
A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:
Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted
Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.
Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:
Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.
The Talos blog: When Paying Out Doesn’t Pay Off.
Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.
John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.
I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.
Worth looking out for (the article and the malware).
[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:
John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures for threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.
Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.
Ordinarily, I’d check out the report directly, but it requires registration, and I don’t really want to be bombarded with ‘commercial information‘ from a competitor, so I have to be really interested before I go that far. If that doesn’t bother you, though, you can get the report via this page.
The Register also cites the report’s finding that 430 million new malware variants were discovered in 2015. I agree with Leyden that the figure is pretty meaningless, though for a slightly different reason: not because of the sheer volume of variants, but because you can’t tell from this summary what Symantec is defining as a ‘variant’.
Macro malware has been back with us for some time, now, and ransomware such as Locky has been taking advantage of that vector.
Microsoft has taken a significant step towards addressing the issue in the enterprise by restricting access to macros via Group Policy. Its blog article New feature in Office 2016 can block macros and help prevent infection doesn’t talk about ransomware directly, but of course it will help against other types of macro-exploiting malware too.
John Leyden’s article for The Register – Microsoft beefs up defences against Office macros menace – also refers, as does this Sophos commentary.
According to a blog article from Bitdefender, KeRanger ‘looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016.’ Commentary from John Leyden for The Register: First Mac OS X ransomware actually a rewrite of Linux file scrambler – Gatekeeper nutmegged using dodgy cert. Also commented on Mac Virus: KeRanger and Linux.Encoder
An article from March 8th 2016 by Tim Ring for SC Magazine – Locky ransomware ‘on the rampage’ globally – is focused on Locky but also collates commentary from sources such as Fortinet and McAfee about how it relates to other major families, notably CryptoWall and TeslaCrypt.