Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
12:00 PM
Brian Foster
Brian Foster
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No End In Sight For Ransomware

The screenlocker Kovter, in particular, has shown sharp growth this year. It masquerades as a law enforcement authority and threatens police action if users don't pay up.

The Department of Justice’s Operation Tovar in June 2014 may have led to the takedown of the notorious botnet GameOverZeus and one of its moneymaking payloads, CryptoLocker, but make no mistake about it: We haven’t seen the end of ransomware. It seems that threat actors are getting more brazen about their exploits in an effort to make easy money. Ransomware, particularly Kovter, is on the rise.

Ransomware, which restricts access to a computer system and demands that the user pay to regain control, has been around for decades. The first known ransomware was the 1989 AIDS Trojan written by Joseph Popp. More recently, CryptoLocker rose to fame thanks to its delivery mechanism, GameOverZeus (GoZ).

The increase in ransomware we have seen over the past 18 months is in both newer ransomware variants and copycats, such as Cryptolocker and Cryptowall, as well as an increase in the prevalence of ransomware infections in general, including old standbys such as Urasy and Reveton.  

Kovter in particular has shown sharp growth this year. Kovter is a screenlocker or systemlocker, rather than a file encrypter like Cryptowall. It masquerades as being from law enforcement authorities and threatens police action. Kovter specifically targets users whose systems include adult websites in the browsing history or images in cache -- but no one is safe.

If Kovter fails to find "evidence" that the user has accessed adult content, the malware manufactures fake proof by redirecting the browser to a randomized adult website where it logs the history and retrieves content. The content is then presented on a splash screen, along with a message. Users are warned of having broken the law and must pay a fine to regain use of the system. If they don’t pay up, the message says, they will be subject to higher fines and possibly jail time.

Ransomware uses payment methods that give threat actors easy access to untraceable funds. For example, in the US, Kovter uses the prepaid card MoneyPak, and Ukash and paysafecard outside the US. However, paying the ransom does not remove the malware from an infected system, nor does it restore computer functionality.

During the height of Kovter activity in June, Damballa’s Threat Research team saw infections reached 43,713 on a single day. While we are still collecting comprehensive data for Q3, so far we have seen the peak daily infection count reach 59,589 unique infected victims in a single day, putting it 36% ahead of the peak count we saw in Q2.   

Given the ease with which threat actors can extort their victims, it’s safe to say that we haven’t seen the end of ransomware. If you or your users become a victim, use trusted sources and tools to remediate infections. Report computer-related crime to your local, state, federal or other authorities. Complaints can also be filed with the Internet Crime Complaint Center (IC3). A partnership between the FBI and the National White Collar Crime Center, IC3 can help determine which law enforcement agencies should be involved in the criminal investigation.

Brian Foster brings more than 25 years of successful product management and development experience to Damballa. Recently, he was SVP of product management for consumer security at McAfee, where he directed the strategy and development of consumer and mobile security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7753
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
CVE-2020-27182
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
CVE-2020-27183
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
CVE-2020-8956
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
CVE-2020-15352
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.