Endpoint
1/28/2016
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Big Week For Ransomware

Inventive new variants and damaging attacks swept through the headlines this week.

What a week for ransomware. The bullish code that extorts users by locking or encrypting their files and devices has made headlines all week. In case you missed it, here's a roundup.

Israeli Electric Authority

While more information was emerging about the December attack on the electric grid in Ukraine, the Israeli energy sector tried to get in on the action, reporting an attack at the Israel Electric Authority.

Yet, the initial excitement abated when it turned out that the event was a far cry from a major blackout. According to Rob Lee of the SANS Institute, The Israel Electric Authority is just a regulatory body, and the attack was simply a ransomware infection affecting some of their 30 employees.

Lincolnshire County Council

The Register reports that a local government agency in the United Kingdom has fallen victim to a ransomware attack so widespread that it's shut the whole place down.

The unnamed ransomware took root in a computer of the Lincolnshire County Council -- which manages local services like libraries, roads, childcare, adult care, education, and vital records -- after a staff member opened a malicious email attachment.

After getting that foothoold, the malware spread and took over 300 computers. The Council told The Register their systems may not be up again until next week.

Faking SalesForce

Meanwhile, Heimdal Security has found the CryptoWall 4.0 ransomware running a new sophisticated new campaign that ships out phishing messages that appear to come from customer relationship management software giant SalesForce.

The messages use a variety of subject headings that often include the recipient's name and reference "invoices" or "contract confirmations." The payload is delivered via malicious attachments.

Heimdal researchers wrote about the CryptoWall team's history of rapidly rolling out new variants. Although version 4.0 just hit the scene in November, Heimdal posits that Cryptowall 5.0 is just around the corner, and may appear as soon as March.

New Android Ransomware

Symantec unearthed an inventive new strain of Android ransomware that uses a twist on clickjacking to trick users into executing. Lockdroid.E can both encrypt all a victim's files on the device and take full administrative control of the Android device. 

Lockdroid poses as a porn app (only available on third-party stores, not the official Google Play shop). The app tells the user it is installing a package -- displaying a message that states "please wait, unpacking the components" -- while it's actually busy encrypting all your files while you wait.

When it's done with that part of its nefarious work, Lockdroid displays a screen informing the user that the installation is complete and instructs them to click the "continue" button. Little does the user know that the screen they see is just an image overlay, and the button they're actually clicking is to "activate" the NastyDevAdmin application that gives the attacker authority to lock the screen, change the PIN, and delete files.

Symantec says nearly 67 percent of Android devices are at risk to this threat.

A Greedy New Brand

Bleeping Computer spotted another new piece of kit that breaks the usual ransomware business model. Normally, operators go for volume, distributing their code widely and setting their ransom in the modest $300 range, though Cryptowall 4.0 upped the ante to $700.

The 7ev3n ransomware has gone a different direction. So far only one victim has been seen and the demand is a payoff of 13 Bitcoin, or about $5,000.

That's not the only way 7ev3n is unique. Although the infection at the solitary victim organization spread to multiple endpoints, the initial infection was in a server, not a client device. Plus, it combines both old-school ransomware and crypto-ransomware tactics -- encrypting files and locking the entire device.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
100%
0%
theb0x,
User Rank: Ninja
2/2/2016 | 8:55:14 AM
Re: Remote Backup
This is indeed true. I have seen it happen and affect network shares. This is good reason to have a properly configured and tested ACL in place. Users should not have full access to all directories on the shares. This is a common configuration error made by many System Administrators. Access should be granted only to ones department to perform their job function. A full permissions audit should be made on a regular basis. 

As I have previously stated in other posts. If you encrypt your backups wheither locally or remote, they are not vulnerable to this attack.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/1/2016 | 12:22:37 PM
Re: Remote Backup
 @RyanSepe  CryptoLocker could encrypt your network drives back in its day. Fortunately, some researchers say that at least some ransomware is full of lies -- it threatens things it can't actually do.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2016 | 11:18:09 PM
Remote Backup
If Ransomware has taught me anything, its how important remote backups are....always backup your data. If you are in a corporate environment make sure that your data is saved to regularly backed up network drives instead of locally. Although I have heard CryptoWall 4.0 can encrypt network drives, not sure if that has been proven true.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/31/2016 | 11:16:01 PM
Hidden Tear
There has been a hidden tear copycat ransomware that has emerged recently that even when payment is received the decryption key provided does not have the ability to decrypt the data. This is not due to malicious intent but rather an genuine error on the side of the attacker. I think its a .b series.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/29/2016 | 11:31:00 PM
7ev3n a Good Reminder
Bleeping Computer did a nice rundown on 7ev3n.  It's a great reminder that not all ransomware is the same, and that sometimes - at least until someone cracks the encryption model - you either have to bite the bullet and pay to get your information unlocked, or just "let it go".  Curious, though, who wrote 7ev3n and whether they're behind other ransomware out there we already know about.   
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How To Build An Effective Defense Against Ransomware
A compendium of Dark Reading´s best recent coverage of ransomware attacks, as well as best practices for defending your enterprise against them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers