Attacks/Breaches
1/7/2014
12:35 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Beware PowerLocker Ransomware

Chatter on underground forums traces development of Blowfish-based shakedown malware that encrypts infected PCs.

A new generation of ransomware known as PowerLocker -- aka Prison Locker -- is designed to lock PCs using uncrackable crypto.

That warning was sounded Friday by Malware Must Die, a group of self-styled anti-malware crusaders. "Malware bad actors just keep on coding and developing new threats with the stupid dream to get rich soon in their stupid heads," the group said in a blog post that detailed what they'd learned about PowerLocker's creator and about the malware's purported features and functionality.

In a Dec. 19 post to Pastebin, PowerLocker's developer said that his malware -- which was then due for imminent release -- used the Blowfish symmetric-key block cipher to encrypt all personal data stored on a PC, and then encrypted those ciphers using 2048-bit RSA encryption.

"A unique BlowFish key is generated for each file. That BlowFish key is then encrypted with an RSA key specific to the PC, then the RSA block is stored with the file to be decrypted later," said PowerLocker's developer, who uses the handle "gyx."

[What security trends do you expect to see this year? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]

Advertised PowerLocker features also include a customizable length of time before the bot uninstalls itself, the ability to customize the name and location of the malware file dropped during the infection, and the amount of money demanded by the ransomware before the data will be decrypted. Users -- meaning attackers -- can receive related payments via Bitcoin e-voucher codes as well as Ukash and Paysafe. "The bot has an HTTP panel which will be used to control slaves and receive payment codes entered by slaves," said the developer. "You can either approve or deny -- resetting the removal clock duration, specified by you during purchase -- a payment code, and then unlock/decrypt files on the PC -- identified by its IP."

PowerLocker costs $100, payable in bitcoins, while future upgrades -- or "rebuilds" -- will cost $25. Finally, a "ghost panel" -- referring to an innocuous-looking access panel that can be used to disguise the underlying malicious infrastructure on a server -- will cost $20.

PowerLocker's 'Ghost Panel.'
PowerLocker's "Ghost Panel."

Malware Must Die said that by publicizing the intelligence it's gathered on PowerLocker and its developer, it's not trying to stoke ransomware fear, uncertainty, and doubt. Rather, the group hopes that multiple law enforcement agencies and national computer emergency response teams will launch related investigations and nip PowerLocker sales in the bud. "If released... this will be more [of a] headache for researchers, industry and LEA -- law enforcement agencies," the group warned, "so after [an] internal meeting we decided to disclose it."

Indeed, PowerLocker's play is to offer low-cost ransomware attacks for the cybercrime masses. For comparison purposes -- as noted by Ars Technica -- previous types of ransomware largely appear to have been developed by a particular gang and used only by that gang.

Many previous types of ransomware have also been heavy on scare and social engineering -- aka trickery -- tactics, but they have not necessarily been difficult to defeat using anti-malware software. The Reveton malware, for example, may flash a "Threat of Prosecution Reminder" on the screen of an infected PC saying that their system has been locked after attempts to access child pornography or other illegal content were detected. But if the user agrees to pay a fine, typically in bitcoins or another virtual currency, the malware promises that the whole matter will be dropped. The malware may also be localized so that the warning is labeled as being from a relevant law enforcement agency -- for example, from the FBI for US-based targets.

Who would fall for such a scam? According to warnings issued by government agencies in the United States and abroad, law enforcement agencies have been besieged by complaints about the malware as well as confessions from consumers who have paid up. Last year, even one Massachusetts police department reportedly paid a related ransom to get its encrypted data back.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JHOLSEN641
50%
50%
JHOLSEN641,
User Rank: Apprentice
1/9/2014 | 1:58:06 PM
Re: Ransomware targets?
I spoke with small business owner over the holidays that got hit by one of these. They backup once each day, but the malware hit right before a major backup. Their IT guy looked it over and said it would actually be cheaper and less risky to just pay the ransom -- and so they did.

So there's an example of who pays and why. However, I don't think any type of targeting is done. That would require work. Instead, they try to hit everyone through system vulnerabilities, mass emails, etc.

 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/8/2014 | 6:17:45 AM
Re: Ransomware targets?

Who's paying these ransomware threats? I'm not aware of any psychological studies (i.e. who's most at risk), but as noted in the story, at least one police department, and no doubt anyone else who doesn't mind coughing up $200 or whatever it costs to make the problem go away are likely payers.

Like a lot of scams, criminals use a shotgun approach, and hit as many people as possible -- young, old, and everywhere in between. If even a fraction of these victims pay, then the attackers hit payday.

Of course, ransomware has that added wrinkle that people's personal data -- photos, emails, documents -- might get deleted, unless they pay. In addition, PowerLocker's creator touted the ability to lock the PC, disabling the Windows Task manager, the use of control-alt-delete, or any attempt to hid the ransom screen. Simply being able to use their PC again would likely scare a lot of people into paying up. 

Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/8/2014 | 6:16:05 AM
Re: Ransomware targets?

Great tip, which applies regardless of device or platform (i.e. desktop, laptop, or mobile device -- especially Androids). One feature being touted by PowerLocker's developer, notably, is the ability to encrypt not only a PC hard drive, but also connected devices, meaning that any attached backup drives might also get encrypted (and the unencrypted personal data then deleted).

Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/7/2014 | 5:50:18 PM
Re: Ransomware targets?
I just had a discussion over the holdays with an older relative who is a gifted amateur photographer. He doesn't upload his photos to Picasa or any other cloud service. He has a big box of thumb drives, but mostly, they're on a PC that's probably running XP. It was a bit terrifying.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Strategist
1/7/2014 | 4:09:03 PM
Re: Ransomware targets?
This is another reason to maintain multiple disk backups, some of which are off-network and offsite.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
1/7/2014 | 3:01:12 PM
Ransomware targets?
Lorna Garey raised a good point recently: Who actually pays ransomware threats? Mat, are they targeting a specific type of user? For instance, preying on older users as many phish scams do?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web