News
6/5/2014
02:15 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Simplocker: First-Ever Data-Encrypting Ransomware For Android

ESET has discovered the first Android ransomware that doesn't just lock screens, but encrypts files.

While all earlier ransomware for Android devices had worked by locking a device's screen, this weekend researchers at ESET spotted Simplocker, a new piece of Android malware that holds individual files for ransom by encrypting them. The researchers believe that the version they've seen is just a work in progress, because, although some of the attack techniques are rather sophisticated, the encryption itself is not.

"It's quite contradictory," says Robert Lipovsky, security intelligence team lead at ESET.

Simplocker scans the device's SD card for a wide variety of documents (including images, photos, PDFs, and Word docs). It encrypts those files and then issues this ransom note (translated from Russian):

WARNING your phone is locked!
The device is locked for viewing and distribution child pornography , zoophilia and other perversions.
To unlock you need to pay 260 UAH.
1. Locate the nearest payment kiosk.
2. Select MoneXy.
3. Enter
[REDACTED].
4. Make deposit of 260 Hryvnia, and then press pay.
Do not forget to take a receipt!
After payment your device will be unlocked within 24 hours.
In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

On one hand, explains Lipovsky, Simplocker uses basic AES encryption, which is not very impressive alongside the double-encryption used by CryptoLocker. On the other hand, it uses a variety of techniques to protect the attacker's identity that Lipovsky says are relatively uncommon.

For example, the attack demands that payment be made via MoneXy, which is not as traceable as credit card activity.

Further, the command-and-control server is hosted on a TOR onion domain.

Simplocker also sends identifiable information about the device (model, operating system, manufacturer) back to the C&C server, but Lipovsky says that he has seen no evidence that would indicate the malware would export personally identifiable information about the user.

Being that the message is written in Russian and demands payment in Ukrainian currency, it is safe to assume that Simplocker is aimed at that region. Although recent research elsewhere has found that malware activity in this region spiked at the height of the geopolitical conflict between Russia and Ukraine, Lipovsky will not speculate upon whether or not Simplocker is at all politically motivated.

Although the ransom note states that the device has been locked because it was used to view or distribute "child pornography, zoophilia, and other perversions," Lipovsky would not categorize Simplocker as "police ransomware," exactly. The ransom does not actually claim to come from law enforcement or include any police force logos.

The ransom requested, 260 UAH, equals roughly US$21. Lipovsky does not have an estimate of how many people have paid the ransom thus far, but since the malware is "quite fresh," it is probably quite a small number.

Ransomware has been a hot topic lately. Two weeks ago, more than 90 people were arrested for their connection to the Blackshades remote access toolkit, which contains ransomware. Monday, the US Department of Justice announced a major international effort to disrupt the Gameover Zeus botnet, which is often used in tandem with the CryptoLocker ransomware. CryptoLocker is well known partly for its association with Gameover Zeus and partly because it encrypts files twice with two different encryption algorithms.

"CryptoLocker is quite sophisticated," says Lipovsky, "but it is still a bit overhyped."

Lipovsky says that ransomware wouldn't be as big a deal if people just kept better backups.

For more information about ransomware, listen to yesterday's episode of Dark Reading Radio, "Pay Up Or Never See Your Data Again: Ransomware Raises The Stakes," with DarkReading's executive editor Kelly Jackson-Higgins and Lance James, head of cyber intelligence at Deloitte & Touche.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/8/2014 | 10:47:32 AM
End of the Local Storage Era
Beyond the obvious common sense avoidance strategies like being careful what you install, what links you click, what attachments you open, etcetera, I think this wave of ransomware signal the beginning of an era I've always assumed we'd reach - the end of local storage; not DVDs/USB and the like, but internal hard drive.

With data stored persistently across dozens of nodes, encrypted and protected by distinct separate networks, ransomware would be innefective outside of the inital locking up of your device - easily cured by executing a factory reset which should be made easier and part of external options as we move forward to a cloud-based storage scheme.

Yes, there are a host of things "difficult" with a completely cloud storage architecture, especially network outages that block you from nodes.  Drawing board time is needed...  
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7484
Published: 2014-10-20
The Coca-Cola FM Guatemala (aka com.enyetech.radio.coca_cola.fm_gu) application 2.0.41725 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7485
Published: 2014-10-20
The Not Lost Just Somewhere Else (aka it.tinytap.attsa.notlost) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7486
Published: 2014-10-20
The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7487
Published: 2014-10-20
The ADT Aesthetic Dentistry Today (aka com.magazinecloner.aestheticdentistry) application @7F080181 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7488
Published: 2014-10-20
The Vineyard All In (aka com.wVineyardAllIn) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.