Attacks/Breaches
1/7/2014
12:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Beware PowerLocker Ransomware

Chatter on underground forums traces development of Blowfish-based shakedown malware that encrypts infected PCs.

A new generation of ransomware known as PowerLocker -- aka Prison Locker -- is designed to lock PCs using uncrackable crypto.

That warning was sounded Friday by Malware Must Die, a group of self-styled anti-malware crusaders. "Malware bad actors just keep on coding and developing new threats with the stupid dream to get rich soon in their stupid heads," the group said in a blog post that detailed what they'd learned about PowerLocker's creator and about the malware's purported features and functionality.

In a Dec. 19 post to Pastebin, PowerLocker's developer said that his malware -- which was then due for imminent release -- used the Blowfish symmetric-key block cipher to encrypt all personal data stored on a PC, and then encrypted those ciphers using 2048-bit RSA encryption.

"A unique BlowFish key is generated for each file. That BlowFish key is then encrypted with an RSA key specific to the PC, then the RSA block is stored with the file to be decrypted later," said PowerLocker's developer, who uses the handle "gyx."

[What security trends do you expect to see this year? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]

Advertised PowerLocker features also include a customizable length of time before the bot uninstalls itself, the ability to customize the name and location of the malware file dropped during the infection, and the amount of money demanded by the ransomware before the data will be decrypted. Users -- meaning attackers -- can receive related payments via Bitcoin e-voucher codes as well as Ukash and Paysafe. "The bot has an HTTP panel which will be used to control slaves and receive payment codes entered by slaves," said the developer. "You can either approve or deny -- resetting the removal clock duration, specified by you during purchase -- a payment code, and then unlock/decrypt files on the PC -- identified by its IP."

PowerLocker costs $100, payable in bitcoins, while future upgrades -- or "rebuilds" -- will cost $25. Finally, a "ghost panel" -- referring to an innocuous-looking access panel that can be used to disguise the underlying malicious infrastructure on a server -- will cost $20.

PowerLocker's 'Ghost Panel.'
PowerLocker's "Ghost Panel."

Malware Must Die said that by publicizing the intelligence it's gathered on PowerLocker and its developer, it's not trying to stoke ransomware fear, uncertainty, and doubt. Rather, the group hopes that multiple law enforcement agencies and national computer emergency response teams will launch related investigations and nip PowerLocker sales in the bud. "If released... this will be more [of a] headache for researchers, industry and LEA -- law enforcement agencies," the group warned, "so after [an] internal meeting we decided to disclose it."

Indeed, PowerLocker's play is to offer low-cost ransomware attacks for the cybercrime masses. For comparison purposes -- as noted by Ars Technica -- previous types of ransomware largely appear to have been developed by a particular gang and used only by that gang.

Many previous types of ransomware have also been heavy on scare and social engineering -- aka trickery -- tactics, but they have not necessarily been difficult to defeat using anti-malware software. The Reveton malware, for example, may flash a "Threat of Prosecution Reminder" on the screen of an infected PC saying that their system has been locked after attempts to access child pornography or other illegal content were detected. But if the user agrees to pay a fine, typically in bitcoins or another virtual currency, the malware promises that the whole matter will be dropped. The malware may also be localized so that the warning is labeled as being from a relevant law enforcement agency -- for example, from the FBI for US-based targets.

Who would fall for such a scam? According to warnings issued by government agencies in the United States and abroad, law enforcement agencies have been besieged by complaints about the malware as well as confessions from consumers who have paid up. Last year, even one Massachusetts police department reportedly paid a related ransom to get its encrypted data back.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JHOLSEN641
50%
50%
JHOLSEN641,
User Rank: Apprentice
1/9/2014 | 1:58:06 PM
Re: Ransomware targets?
I spoke with small business owner over the holidays that got hit by one of these. They backup once each day, but the malware hit right before a major backup. Their IT guy looked it over and said it would actually be cheaper and less risky to just pay the ransom -- and so they did.

So there's an example of who pays and why. However, I don't think any type of targeting is done. That would require work. Instead, they try to hit everyone through system vulnerabilities, mass emails, etc.

 
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/8/2014 | 6:17:45 AM
Re: Ransomware targets?

Who's paying these ransomware threats? I'm not aware of any psychological studies (i.e. who's most at risk), but as noted in the story, at least one police department, and no doubt anyone else who doesn't mind coughing up $200 or whatever it costs to make the problem go away are likely payers.

Like a lot of scams, criminals use a shotgun approach, and hit as many people as possible -- young, old, and everywhere in between. If even a fraction of these victims pay, then the attackers hit payday.

Of course, ransomware has that added wrinkle that people's personal data -- photos, emails, documents -- might get deleted, unless they pay. In addition, PowerLocker's creator touted the ability to lock the PC, disabling the Windows Task manager, the use of control-alt-delete, or any attempt to hid the ransom screen. Simply being able to use their PC again would likely scare a lot of people into paying up. 

Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/8/2014 | 6:16:05 AM
Re: Ransomware targets?

Great tip, which applies regardless of device or platform (i.e. desktop, laptop, or mobile device -- especially Androids). One feature being touted by PowerLocker's developer, notably, is the ability to encrypt not only a PC hard drive, but also connected devices, meaning that any attached backup drives might also get encrypted (and the unencrypted personal data then deleted).

Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/7/2014 | 5:50:18 PM
Re: Ransomware targets?
I just had a discussion over the holdays with an older relative who is a gifted amateur photographer. He doesn't upload his photos to Picasa or any other cloud service. He has a big box of thumb drives, but mostly, they're on a PC that's probably running XP. It was a bit terrifying.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
1/7/2014 | 4:09:03 PM
Re: Ransomware targets?
This is another reason to maintain multiple disk backups, some of which are off-network and offsite.
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
1/7/2014 | 3:01:12 PM
Ransomware targets?
Lorna Garey raised a good point recently: Who actually pays ransomware threats? Mat, are they targeting a specific type of user? For instance, preying on older users as many phish scams do?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.