05:00 PM
Connect Directly

Big Week For Ransomware

Inventive new variants and damaging attacks swept through the headlines this week.

What a week for ransomware. The bullish code that extorts users by locking or encrypting their files and devices has made headlines all week. In case you missed it, here's a roundup.

Israeli Electric Authority

While more information was emerging about the December attack on the electric grid in Ukraine, the Israeli energy sector tried to get in on the action, reporting an attack at the Israel Electric Authority.

Yet, the initial excitement abated when it turned out that the event was a far cry from a major blackout. According to Rob Lee of the SANS Institute, The Israel Electric Authority is just a regulatory body, and the attack was simply a ransomware infection affecting some of their 30 employees.

Lincolnshire County Council

The Register reports that a local government agency in the United Kingdom has fallen victim to a ransomware attack so widespread that it's shut the whole place down.

The unnamed ransomware took root in a computer of the Lincolnshire County Council -- which manages local services like libraries, roads, childcare, adult care, education, and vital records -- after a staff member opened a malicious email attachment.

After getting that foothoold, the malware spread and took over 300 computers. The Council told The Register their systems may not be up again until next week.

Faking SalesForce

Meanwhile, Heimdal Security has found the CryptoWall 4.0 ransomware running a new sophisticated new campaign that ships out phishing messages that appear to come from customer relationship management software giant SalesForce.

The messages use a variety of subject headings that often include the recipient's name and reference "invoices" or "contract confirmations." The payload is delivered via malicious attachments.

Heimdal researchers wrote about the CryptoWall team's history of rapidly rolling out new variants. Although version 4.0 just hit the scene in November, Heimdal posits that Cryptowall 5.0 is just around the corner, and may appear as soon as March.

New Android Ransomware

Symantec unearthed an inventive new strain of Android ransomware that uses a twist on clickjacking to trick users into executing. Lockdroid.E can both encrypt all a victim's files on the device and take full administrative control of the Android device. 

Lockdroid poses as a porn app (only available on third-party stores, not the official Google Play shop). The app tells the user it is installing a package -- displaying a message that states "please wait, unpacking the components" -- while it's actually busy encrypting all your files while you wait.

When it's done with that part of its nefarious work, Lockdroid displays a screen informing the user that the installation is complete and instructs them to click the "continue" button. Little does the user know that the screen they see is just an image overlay, and the button they're actually clicking is to "activate" the NastyDevAdmin application that gives the attacker authority to lock the screen, change the PIN, and delete files.

Symantec says nearly 67 percent of Android devices are at risk to this threat.

A Greedy New Brand

Bleeping Computer spotted another new piece of kit that breaks the usual ransomware business model. Normally, operators go for volume, distributing their code widely and setting their ransom in the modest $300 range, though Cryptowall 4.0 upped the ante to $700.

The 7ev3n ransomware has gone a different direction. So far only one victim has been seen and the demand is a payoff of 13 Bitcoin, or about $5,000.

That's not the only way 7ev3n is unique. Although the infection at the solitary victim organization spread to multiple endpoints, the initial infection was in a server, not a client device. Plus, it combines both old-school ransomware and crypto-ransomware tactics -- encrypting files and locking the entire device.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/2/2016 | 8:55:14 AM
Re: Remote Backup
This is indeed true. I have seen it happen and affect network shares. This is good reason to have a properly configured and tested ACL in place. Users should not have full access to all directories on the shares. This is a common configuration error made by many System Administrators. Access should be granted only to ones department to perform their job function. A full permissions audit should be made on a regular basis. 

As I have previously stated in other posts. If you encrypt your backups wheither locally or remote, they are not vulnerable to this attack.
Sara Peters
Sara Peters,
User Rank: Author
2/1/2016 | 12:22:37 PM
Re: Remote Backup
 @RyanSepe  CryptoLocker could encrypt your network drives back in its day. Fortunately, some researchers say that at least some ransomware is full of lies -- it threatens things it can't actually do.
User Rank: Ninja
1/31/2016 | 11:18:09 PM
Remote Backup
If Ransomware has taught me anything, its how important remote backups are....always backup your data. If you are in a corporate environment make sure that your data is saved to regularly backed up network drives instead of locally. Although I have heard CryptoWall 4.0 can encrypt network drives, not sure if that has been proven true.
User Rank: Ninja
1/31/2016 | 11:16:01 PM
Hidden Tear
There has been a hidden tear copycat ransomware that has emerged recently that even when payment is received the decryption key provided does not have the ability to decrypt the data. This is not due to malicious intent but rather an genuine error on the side of the attacker. I think its a .b series.
Christian Bryant
Christian Bryant,
User Rank: Ninja
1/29/2016 | 11:31:00 PM
7ev3n a Good Reminder
Bleeping Computer did a nice rundown on 7ev3n.  It's a great reminder that not all ransomware is the same, and that sometimes - at least until someone cracks the encryption model - you either have to bite the bullet and pay to get your information unlocked, or just "let it go".  Curious, though, who wrote 7ev3n and whether they're behind other ransomware out there we already know about.   
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.