Endpoint

1/28/2016
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Big Week For Ransomware

Inventive new variants and damaging attacks swept through the headlines this week.

What a week for ransomware. The bullish code that extorts users by locking or encrypting their files and devices has made headlines all week. In case you missed it, here's a roundup.

Israeli Electric Authority

While more information was emerging about the December attack on the electric grid in Ukraine, the Israeli energy sector tried to get in on the action, reporting an attack at the Israel Electric Authority.

Yet, the initial excitement abated when it turned out that the event was a far cry from a major blackout. According to Rob Lee of the SANS Institute, The Israel Electric Authority is just a regulatory body, and the attack was simply a ransomware infection affecting some of their 30 employees.

Lincolnshire County Council

The Register reports that a local government agency in the United Kingdom has fallen victim to a ransomware attack so widespread that it's shut the whole place down.

The unnamed ransomware took root in a computer of the Lincolnshire County Council -- which manages local services like libraries, roads, childcare, adult care, education, and vital records -- after a staff member opened a malicious email attachment.

After getting that foothoold, the malware spread and took over 300 computers. The Council told The Register their systems may not be up again until next week.

Faking SalesForce

Meanwhile, Heimdal Security has found the CryptoWall 4.0 ransomware running a new sophisticated new campaign that ships out phishing messages that appear to come from customer relationship management software giant SalesForce.

The messages use a variety of subject headings that often include the recipient's name and reference "invoices" or "contract confirmations." The payload is delivered via malicious attachments.

Heimdal researchers wrote about the CryptoWall team's history of rapidly rolling out new variants. Although version 4.0 just hit the scene in November, Heimdal posits that Cryptowall 5.0 is just around the corner, and may appear as soon as March.

New Android Ransomware

Symantec unearthed an inventive new strain of Android ransomware that uses a twist on clickjacking to trick users into executing. Lockdroid.E can both encrypt all a victim's files on the device and take full administrative control of the Android device. 

Lockdroid poses as a porn app (only available on third-party stores, not the official Google Play shop). The app tells the user it is installing a package -- displaying a message that states "please wait, unpacking the components" -- while it's actually busy encrypting all your files while you wait.

When it's done with that part of its nefarious work, Lockdroid displays a screen informing the user that the installation is complete and instructs them to click the "continue" button. Little does the user know that the screen they see is just an image overlay, and the button they're actually clicking is to "activate" the NastyDevAdmin application that gives the attacker authority to lock the screen, change the PIN, and delete files.

Symantec says nearly 67 percent of Android devices are at risk to this threat.

A Greedy New Brand

Bleeping Computer spotted another new piece of kit that breaks the usual ransomware business model. Normally, operators go for volume, distributing their code widely and setting their ransom in the modest $300 range, though Cryptowall 4.0 upped the ante to $700.

The 7ev3n ransomware has gone a different direction. So far only one victim has been seen and the demand is a payoff of 13 Bitcoin, or about $5,000.

That's not the only way 7ev3n is unique. Although the infection at the solitary victim organization spread to multiple endpoints, the initial infection was in a server, not a client device. Plus, it combines both old-school ransomware and crypto-ransomware tactics -- encrypting files and locking the entire device.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
100%
0%
theb0x,
User Rank: Ninja
2/2/2016 | 8:55:14 AM
Re: Remote Backup
This is indeed true. I have seen it happen and affect network shares. This is good reason to have a properly configured and tested ACL in place. Users should not have full access to all directories on the shares. This is a common configuration error made by many System Administrators. Access should be granted only to ones department to perform their job function. A full permissions audit should be made on a regular basis. 

As I have previously stated in other posts. If you encrypt your backups wheither locally or remote, they are not vulnerable to this attack.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/1/2016 | 12:22:37 PM
Re: Remote Backup
 @RyanSepe  CryptoLocker could encrypt your network drives back in its day. Fortunately, some researchers say that at least some ransomware is full of lies -- it threatens things it can't actually do.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2016 | 11:18:09 PM
Remote Backup
If Ransomware has taught me anything, its how important remote backups are....always backup your data. If you are in a corporate environment make sure that your data is saved to regularly backed up network drives instead of locally. Although I have heard CryptoWall 4.0 can encrypt network drives, not sure if that has been proven true.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2016 | 11:16:01 PM
Hidden Tear
There has been a hidden tear copycat ransomware that has emerged recently that even when payment is received the decryption key provided does not have the ability to decrypt the data. This is not due to malicious intent but rather an genuine error on the side of the attacker. I think its a .b series.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
1/29/2016 | 11:31:00 PM
7ev3n a Good Reminder
Bleeping Computer did a nice rundown on 7ev3n.  It's a great reminder that not all ransomware is the same, and that sometimes - at least until someone cracks the encryption model - you either have to bite the bullet and pay to get your information unlocked, or just "let it go".  Curious, though, who wrote 7ev3n and whether they're behind other ransomware out there we already know about.   
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11506
PUBLISHED: 2019-04-24
In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to Expo...
CVE-2019-8991
PUBLISHED: 2019-04-24
The administrator web interface of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIB...
CVE-2019-8992
PUBLISHED: 2019-04-24
The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBC...
CVE-2019-8993
PUBLISHED: 2019-04-24
The administrative web server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for ...
CVE-2019-8994
PUBLISHED: 2019-04-24
The workspace client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contains vulnerabilities where an authenticated user can change settings that can theoretically adversely impact oth...