Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
12:00 PM
Brian Foster
Brian Foster
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No End In Sight For Ransomware

The screenlocker Kovter, in particular, has shown sharp growth this year. It masquerades as a law enforcement authority and threatens police action if users don't pay up.

The Department of Justice’s Operation Tovar in June 2014 may have led to the takedown of the notorious botnet GameOverZeus and one of its moneymaking payloads, CryptoLocker, but make no mistake about it: We haven’t seen the end of ransomware. It seems that threat actors are getting more brazen about their exploits in an effort to make easy money. Ransomware, particularly Kovter, is on the rise.

Ransomware, which restricts access to a computer system and demands that the user pay to regain control, has been around for decades. The first known ransomware was the 1989 AIDS Trojan written by Joseph Popp. More recently, CryptoLocker rose to fame thanks to its delivery mechanism, GameOverZeus (GoZ).

The increase in ransomware we have seen over the past 18 months is in both newer ransomware variants and copycats, such as Cryptolocker and Cryptowall, as well as an increase in the prevalence of ransomware infections in general, including old standbys such as Urasy and Reveton.  

Kovter in particular has shown sharp growth this year. Kovter is a screenlocker or systemlocker, rather than a file encrypter like Cryptowall. It masquerades as being from law enforcement authorities and threatens police action. Kovter specifically targets users whose systems include adult websites in the browsing history or images in cache -- but no one is safe.

If Kovter fails to find "evidence" that the user has accessed adult content, the malware manufactures fake proof by redirecting the browser to a randomized adult website where it logs the history and retrieves content. The content is then presented on a splash screen, along with a message. Users are warned of having broken the law and must pay a fine to regain use of the system. If they don’t pay up, the message says, they will be subject to higher fines and possibly jail time.

Ransomware uses payment methods that give threat actors easy access to untraceable funds. For example, in the US, Kovter uses the prepaid card MoneyPak, and Ukash and paysafecard outside the US. However, paying the ransom does not remove the malware from an infected system, nor does it restore computer functionality.

During the height of Kovter activity in June, Damballa’s Threat Research team saw infections reached 43,713 on a single day. While we are still collecting comprehensive data for Q3, so far we have seen the peak daily infection count reach 59,589 unique infected victims in a single day, putting it 36% ahead of the peak count we saw in Q2.   

Given the ease with which threat actors can extort their victims, it’s safe to say that we haven’t seen the end of ransomware. If you or your users become a victim, use trusted sources and tools to remediate infections. Report computer-related crime to your local, state, federal or other authorities. Complaints can also be filed with the Internet Crime Complaint Center (IC3). A partnership between the FBI and the National White Collar Crime Center, IC3 can help determine which law enforcement agencies should be involved in the criminal investigation.

Brian Foster brings more than 25 years of successful product management and development experience to Damballa. Recently, he was SVP of product management for consumer security at McAfee, where he directed the strategy and development of consumer and mobile security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-17
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
CVE-2019-12175
PUBLISHED: 2019-07-17
In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka KRB) protocol parser leads to DoS because a case-type index is mishandled.
CVE-2019-12475
PUBLISHED: 2019-07-17
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.
CVE-2019-13346
PUBLISHED: 2019-07-17
In MyT 1.5.1, the User[username] parameter has XSS.
CVE-2019-13403
PUBLISHED: 2019-07-17
Temenos CWX version 8.9 has an Broken Access Control vulnerability in the module /CWX/Employee/EmployeeEdit2.aspx, leading to the viewing of user information.