05:00 PM
Connect Directly

Big Week For Ransomware

Inventive new variants and damaging attacks swept through the headlines this week.

What a week for ransomware. The bullish code that extorts users by locking or encrypting their files and devices has made headlines all week. In case you missed it, here's a roundup.

Israeli Electric Authority

While more information was emerging about the December attack on the electric grid in Ukraine, the Israeli energy sector tried to get in on the action, reporting an attack at the Israel Electric Authority.

Yet, the initial excitement abated when it turned out that the event was a far cry from a major blackout. According to Rob Lee of the SANS Institute, The Israel Electric Authority is just a regulatory body, and the attack was simply a ransomware infection affecting some of their 30 employees.

Lincolnshire County Council

The Register reports that a local government agency in the United Kingdom has fallen victim to a ransomware attack so widespread that it's shut the whole place down.

The unnamed ransomware took root in a computer of the Lincolnshire County Council -- which manages local services like libraries, roads, childcare, adult care, education, and vital records -- after a staff member opened a malicious email attachment.

After getting that foothoold, the malware spread and took over 300 computers. The Council told The Register their systems may not be up again until next week.

Faking SalesForce

Meanwhile, Heimdal Security has found the CryptoWall 4.0 ransomware running a new sophisticated new campaign that ships out phishing messages that appear to come from customer relationship management software giant SalesForce.

The messages use a variety of subject headings that often include the recipient's name and reference "invoices" or "contract confirmations." The payload is delivered via malicious attachments.

Heimdal researchers wrote about the CryptoWall team's history of rapidly rolling out new variants. Although version 4.0 just hit the scene in November, Heimdal posits that Cryptowall 5.0 is just around the corner, and may appear as soon as March.

New Android Ransomware

Symantec unearthed an inventive new strain of Android ransomware that uses a twist on clickjacking to trick users into executing. Lockdroid.E can both encrypt all a victim's files on the device and take full administrative control of the Android device. 

Lockdroid poses as a porn app (only available on third-party stores, not the official Google Play shop). The app tells the user it is installing a package -- displaying a message that states "please wait, unpacking the components" -- while it's actually busy encrypting all your files while you wait.

When it's done with that part of its nefarious work, Lockdroid displays a screen informing the user that the installation is complete and instructs them to click the "continue" button. Little does the user know that the screen they see is just an image overlay, and the button they're actually clicking is to "activate" the NastyDevAdmin application that gives the attacker authority to lock the screen, change the PIN, and delete files.

Symantec says nearly 67 percent of Android devices are at risk to this threat.

A Greedy New Brand

Bleeping Computer spotted another new piece of kit that breaks the usual ransomware business model. Normally, operators go for volume, distributing their code widely and setting their ransom in the modest $300 range, though Cryptowall 4.0 upped the ante to $700.

The 7ev3n ransomware has gone a different direction. So far only one victim has been seen and the demand is a payoff of 13 Bitcoin, or about $5,000.

That's not the only way 7ev3n is unique. Although the infection at the solitary victim organization spread to multiple endpoints, the initial infection was in a server, not a client device. Plus, it combines both old-school ransomware and crypto-ransomware tactics -- encrypting files and locking the entire device.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/2/2016 | 8:55:14 AM
Re: Remote Backup
This is indeed true. I have seen it happen and affect network shares. This is good reason to have a properly configured and tested ACL in place. Users should not have full access to all directories on the shares. This is a common configuration error made by many System Administrators. Access should be granted only to ones department to perform their job function. A full permissions audit should be made on a regular basis. 

As I have previously stated in other posts. If you encrypt your backups wheither locally or remote, they are not vulnerable to this attack.
Sara Peters
Sara Peters,
User Rank: Author
2/1/2016 | 12:22:37 PM
Re: Remote Backup
 @RyanSepe  CryptoLocker could encrypt your network drives back in its day. Fortunately, some researchers say that at least some ransomware is full of lies -- it threatens things it can't actually do.
User Rank: Ninja
1/31/2016 | 11:18:09 PM
Remote Backup
If Ransomware has taught me anything, its how important remote backups are....always backup your data. If you are in a corporate environment make sure that your data is saved to regularly backed up network drives instead of locally. Although I have heard CryptoWall 4.0 can encrypt network drives, not sure if that has been proven true.
User Rank: Ninja
1/31/2016 | 11:16:01 PM
Hidden Tear
There has been a hidden tear copycat ransomware that has emerged recently that even when payment is received the decryption key provided does not have the ability to decrypt the data. This is not due to malicious intent but rather an genuine error on the side of the attacker. I think its a .b series.
User Rank: Ninja
1/29/2016 | 11:31:00 PM
7ev3n a Good Reminder
Bleeping Computer did a nice rundown on 7ev3n.  It's a great reminder that not all ransomware is the same, and that sometimes - at least until someone cracks the encryption model - you either have to bite the bullet and pay to get your information unlocked, or just "let it go".  Curious, though, who wrote 7ev3n and whether they're behind other ransomware out there we already know about.   
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.