Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
12:00 PM
Brian Foster
Brian Foster
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No End In Sight For Ransomware

The screenlocker Kovter, in particular, has shown sharp growth this year. It masquerades as a law enforcement authority and threatens police action if users don't pay up.

The Department of Justice’s Operation Tovar in June 2014 may have led to the takedown of the notorious botnet GameOverZeus and one of its moneymaking payloads, CryptoLocker, but make no mistake about it: We haven’t seen the end of ransomware. It seems that threat actors are getting more brazen about their exploits in an effort to make easy money. Ransomware, particularly Kovter, is on the rise.

Ransomware, which restricts access to a computer system and demands that the user pay to regain control, has been around for decades. The first known ransomware was the 1989 AIDS Trojan written by Joseph Popp. More recently, CryptoLocker rose to fame thanks to its delivery mechanism, GameOverZeus (GoZ).

The increase in ransomware we have seen over the past 18 months is in both newer ransomware variants and copycats, such as Cryptolocker and Cryptowall, as well as an increase in the prevalence of ransomware infections in general, including old standbys such as Urasy and Reveton.  

Kovter in particular has shown sharp growth this year. Kovter is a screenlocker or systemlocker, rather than a file encrypter like Cryptowall. It masquerades as being from law enforcement authorities and threatens police action. Kovter specifically targets users whose systems include adult websites in the browsing history or images in cache -- but no one is safe.

If Kovter fails to find "evidence" that the user has accessed adult content, the malware manufactures fake proof by redirecting the browser to a randomized adult website where it logs the history and retrieves content. The content is then presented on a splash screen, along with a message. Users are warned of having broken the law and must pay a fine to regain use of the system. If they don’t pay up, the message says, they will be subject to higher fines and possibly jail time.

Ransomware uses payment methods that give threat actors easy access to untraceable funds. For example, in the US, Kovter uses the prepaid card MoneyPak, and Ukash and paysafecard outside the US. However, paying the ransom does not remove the malware from an infected system, nor does it restore computer functionality.

During the height of Kovter activity in June, Damballa’s Threat Research team saw infections reached 43,713 on a single day. While we are still collecting comprehensive data for Q3, so far we have seen the peak daily infection count reach 59,589 unique infected victims in a single day, putting it 36% ahead of the peak count we saw in Q2.   

Given the ease with which threat actors can extort their victims, it’s safe to say that we haven’t seen the end of ransomware. If you or your users become a victim, use trusted sources and tools to remediate infections. Report computer-related crime to your local, state, federal or other authorities. Complaints can also be filed with the Internet Crime Complaint Center (IC3). A partnership between the FBI and the National White Collar Crime Center, IC3 can help determine which law enforcement agencies should be involved in the criminal investigation.

Brian Foster brings more than 25 years of successful product management and development experience to Damballa. Recently, he was SVP of product management for consumer security at McAfee, where he directed the strategy and development of consumer and mobile security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.