Tag Archives: The Register

Ransomware Avalanche – WannaCryptor and Jaff

It probably hasn’t escaped your notice that there is a huge outbreak of ransomware affecting organizations pretty much worldwide. The main cause of upset is the malware ESET calls Win32/Filecoder.WannaCryptor.D (other security software is available…)

At the moment it’s unclear how much actual data has been affected, and how many systems have been shut down as a proactive measure. One thing that does seem clear is that systems that haven’t been patched against MS2017-010 are vulnerable to the  ‘externalblue’ exploit from the ShadowBroker NSA leak unless they have security software that blocks that exploit.

Being in the UK, I’m especially interested in the effect on the NHS, though I’m not in a position to tell you much about it. Here are a couple of links:

Some sources link this with Jaff, but the information I have doesn’t suggest a resemblance. ESET detects it as PDF/TrojanDropper.Agent.Q trojan – the sample I received came as an attachment called nm.pdf. Commentary by EMSISOFT. Commentary by The Register.

David Harley

Hitler Ransomware

For once, an article about Hitler that doesn’t invoke Godwin’s law

The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.

I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.

David Harley

 

Thermostat Hacking – a Hot Topic

At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’

  • Thermostat Ransomware: a lesson in IoT security. They observe that ‘Our intention was to draw attention to the poor state of security in many domestic IoT devices. Also to raise awareness in the security research community that it’s not all about software hacking. Hardware hacking is often an easier vector.’

  • Commentary by The Register: Thermostat ransomware

It’s not clear right now whether this is another aspect of the story noted by Security Week about Vulnerabilities Exposed Trane Thermostats to Remote Hacking, based on research by Jeff Kitson for Trustwave. But it sounds very similar.

David Harley

Ransomware: F-Secure looks at the ‘customer’ experience

Useful resources from F-Secure:

Commentary by The Register: Ransomware gang: How can I extort you today? Step 1. Improve customer service. Step 2.???? Step 3 PROFIT!!!

David Harley

If it’s encrypting, perhaps it’s ransomware

Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data

A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:

Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted

David Harley

Ranscam: paying up won’t get your files back

Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.

Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:

Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.

The Talos blog: When Paying Out Doesn’t Pay Off.

Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.

David Harley

 

Flash Player exploit -> Angler -> CryptXXX

John Leyden heralds a post apparently due to appear on the Malwarebytes site later today (25th May 2016) about a wave of malvertising exploiting the Flash Player exploit (CVE-2016-4117) recently addressed by Adobe in order to direct victims to the Angler exploit kit and launch infection with the CryptXXX ransomware.

I’m guessing that we’re talking about CryptXXX 3.0, which I wrote about earlier today: CryptXXX 3.0: gang breaks own decryptor.

Worth looking out for (the article and the malware).

[Added: Malwarebytes article now published as New Wave of Malvertising Leverages Latest Flash Exploit. Jerome Segura observes:

The ads are typically clean of any malware for anyone trying to manually verify them. The JavaScript code looks benign no matter how many times you refresh the page or rotate IP address. This is because the rogue version of the JavaScript is served conditionally, with the proper referer, user-agent, sometimes even your screen resolution, and several other parameters.

Very interesting.]

David Harley

 

UK threat prevalence – Symantec

John Leyden for The Register has summarized Symantec’s latest Internet Security Threat Report, and focuses on UK-specific figures for threat prevalence: Spear phishers target gullible Brits more than anyone else – survey; Ransomware, 0days, malware, scams… all are up, says Symantec.

Of particular relevance to this site are the statistics for crypto ransomware attacks (up by 35% in the UK) and for tech support scams (7m attacks in 2015). Since this is described as a survey, I guess the figures are extrapolated from the surveyed population’s responses rather than from a more neutral source, but I can’t say for sure.

Ordinarily, I’d check out the report directly, but it requires registration, and I don’t really want to be bombarded with ‘commercial information‘ from a competitor, so I have to be really interested before I go that far. If that doesn’t bother you, though, you can get the report via this page.

The Register also cites the report’s finding that 430 million new  malware variants were discovered in 2015. I agree with Leyden that the figure is pretty meaningless, though for a slightly different reason: not because of the sheer volume of variants, but because you can’t tell from this summary what Symantec is defining as a ‘variant’.

David Harley

Macro malware countered by Group Policy

Macro malware has been back with us for some time, now, and ransomware such as Locky has been taking advantage of that vector.

Microsoft has taken a significant step towards addressing the issue in the enterprise by restricting access to macros via Group Policy. Its blog article New feature in Office 2016 can block macros and help prevent infection doesn’t talk about ransomware directly, but of course it will help against other types of macro-exploiting malware too.

John Leyden’s article for The Register – Microsoft beefs up defences against Office macros menace – also refers, as does  this Sophos commentary.

David Harley

Added to ransomware resource page…

Re KeRanger:

According to a blog article from Bitdefender, KeRanger ‘looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016.’ Commentary from John Leyden for The Register: First Mac OS X ransomware actually a rewrite of Linux file scrambler – Gatekeeper nutmegged using dodgy cert. Also commented on Mac Virus: KeRanger and Linux.Encoder

Re Locky:

An article from March 8th 2016 by Tim Ring for SC Magazine – Locky ransomware ‘on the rampage’ globally – is focused on Locky but also collates commentary from sources such as Fortinet and McAfee about how it relates to other major families, notably CryptoWall and TeslaCrypt.

David Harley