Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/13/2015
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hackers Breaking New Ground With Ransomware

The tools and tactics being used to go after victims reveal growing sophistication, and gamers need to look out, security researchers say.

The enormous success which hackers have had extracting millions of dollars from individuals and businesses using ransomware appears to be driving more sophisticated tools and tactics from them.

This week researchers sounded the alert on two recent ransomware families that break ground in different ways.

One of them dubbed Virlock is noteworthy because it not only locks the screen of compromised systems like other ransomware, but also infects files on the device. First noticed by security firm ESET in December, Virlock is also polymorphic, meaning the code changes every time it runs making it hard to detect using standard malware detection tools.

In an alert on Friday, security firm Trend Micro described Virlock as the first ransomware that includes file infection in its routine. Unlike most ransomware, which are distributed via botnets and phishing emails, Virlock spreads via infected files, the security firm said.

“Virlock variants may arrive bundled with other malware in infected computers,” Trend Micro security researchers Jaaziel Carlos, Jonh Chua, and Rodwin Fuentes said in their blog.

Once on a system, the malware creates and modifies registry entries to obfuscate itself and then locks the screen and disables several critical functions on the compromised system. Virlock checks for specific file types on the infected system, including executable files and document types such as “.doc”, “.xls” and “.pdf”. It also looks for archive files like “.zip” audio and video files with extensions like “.mp3” and image files such as “.jpg” and “.gif.”

After Virlock locates such files it encrypt them and then embeds them in the body of the malware itself, the researchers said. Infected systems can be hard to clean and even a single infected file that remains undetected in a system can cause the malware to respawn the infection all over again.

“Once Virlock gets into a system network, it will be all over the place; it can infect a whole network system without notice,” the researchers said.

The other ransomware family that has attracted the attention of security researchers because it is different is, TeslaCrypt, a tool that is, for the first time, being used to go after video gamers, specifically. Operationally, the malware is similar to other ransomware, in that it encrypts data on the victim’s computer and then demands a ransom to unlock it.

But by targeting gamers, hackers are increasing what is already a huge target base for ransomware campaigns, Vadim Kotov, a security researcher at Bromium said in a blog post Thursday.

Bromium’s research has shown that data files for more than 20 games are affected by the threat, including Call of Duty, Star Craft 2, Diablo, Minecraft, and online games like World of Warcraft.

“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminals target new niches,” Kotov wrote.

Richard Blech, CEO of Secure Channels, says threats like these showcase the growing sophistication of the ransomware tools and tactics used by hackers to go after potential targets.

“What’s going on is that this is the new mainstream,” Blech says. “This isn’t some script kiddie in the basement,” targeting people with malware tools.  Increasingly, it is the highly sophisticated criminal groups using sophisticated tools that are behind major ransomware campaigns.

Perimeter defense tools like antivirus and anti spam products can help alleviate the threat somewhat by detecting and blocking ransomware where possible. But ultimately a lot of onus for dealing with the threat falls on the user. In most cases, ransomware tools end up getting installed on a system as the direct result of a user action, like clicking on a link in a phishing email. 

“Someone has to do something,” to trigger ransomware in most cases. “There is a human factor,” Blech said.

Keeping files backed up is the best way to mitigate the threat posed by ransomware, Blech said. That way, even if data gets locked up or encrypted, it is easy to retrieve a backup copy.

“Be also careful with your DropBox (or other cloud services). If you have folders synchronized with an online storage – malware will get to them too.” Kotov said in his blog post.

Andrew Brandt, senior threat researcher at Blue Coat Systems said ransomware has become a growing threat not just because of how it is distributed but also because it’s ability to destroy data has evolved dramatically.

Small businesses and governments in particular have reason to be concerned about the trend, Brandt said in emailed comments to Dark Reading. “Small business and local government agencies are most likely, out of the panoply of potential commercial or enterprise victims, to lack any kind of integrated IT security infrastructure,” he said.

Dealing with ransomware requires the same kind of rigor as dealing with any malware he said. Machines or instance, need to be kept up to date, and software needs to be properly patched and updated.

“Networks on which these computers operate can be proxied through devices that prohibit communications with known-bad network addresses,” he said. “And the end users themselves need to be a little less credulous and treat email with greater care and a degree of mistrust.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/16/2015 | 8:29:35 PM
Re: Worry
Ransomware is bad for sure.  Offline backups are the last line of defense:  put important files on CDs, flash or external drive, and unplug the device when not in use.

I have been trying to find out ways to prevent this.  There is scant and conflicting evidence on a couple of sites.  One site says it does not self-propogate between systems over the internet.  It needs another program to send it, like a Trojan.  I was also reading the infection rate is low so far. 

Defense against ransomware in general:

1. Don't click on links in emails unless you expect that particular email, such as a confirmation to create an account.

2. Backup important data.

Another defense against most ransomware is antivirus software.  However, as stated in this article, this particular one evades antivirus by changing itself every time it's copied, making it harder to detect.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/16/2015 | 6:57:34 AM
Worry
Ransomware is just about the only piece of malware that worries me. The rest of it, at worst, I need to format my system and although there is the potential to lose some data or important information, chances are it can be recovered or the problems mitigated. When it comes to randomsware though, chances are your files are gone for good, as there is no guarantee that whoever you pay will unlock them for you, even if you do pay.

I have a pretty good system for back ups, but I would be mortified if I lose all of my personal pictures and memories. 
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.