Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/8/2014
12:00 PM
Brian Foster
Brian Foster
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

No End In Sight For Ransomware

The screenlocker Kovter, in particular, has shown sharp growth this year. It masquerades as a law enforcement authority and threatens police action if users don't pay up.

The Department of Justice’s Operation Tovar in June 2014 may have led to the takedown of the notorious botnet GameOverZeus and one of its moneymaking payloads, CryptoLocker, but make no mistake about it: We haven’t seen the end of ransomware. It seems that threat actors are getting more brazen about their exploits in an effort to make easy money. Ransomware, particularly Kovter, is on the rise.

Ransomware, which restricts access to a computer system and demands that the user pay to regain control, has been around for decades. The first known ransomware was the 1989 AIDS Trojan written by Joseph Popp. More recently, CryptoLocker rose to fame thanks to its delivery mechanism, GameOverZeus (GoZ).

The increase in ransomware we have seen over the past 18 months is in both newer ransomware variants and copycats, such as Cryptolocker and Cryptowall, as well as an increase in the prevalence of ransomware infections in general, including old standbys such as Urasy and Reveton.  

Kovter in particular has shown sharp growth this year. Kovter is a screenlocker or systemlocker, rather than a file encrypter like Cryptowall. It masquerades as being from law enforcement authorities and threatens police action. Kovter specifically targets users whose systems include adult websites in the browsing history or images in cache -- but no one is safe.

If Kovter fails to find "evidence" that the user has accessed adult content, the malware manufactures fake proof by redirecting the browser to a randomized adult website where it logs the history and retrieves content. The content is then presented on a splash screen, along with a message. Users are warned of having broken the law and must pay a fine to regain use of the system. If they don’t pay up, the message says, they will be subject to higher fines and possibly jail time.

Ransomware uses payment methods that give threat actors easy access to untraceable funds. For example, in the US, Kovter uses the prepaid card MoneyPak, and Ukash and paysafecard outside the US. However, paying the ransom does not remove the malware from an infected system, nor does it restore computer functionality.

During the height of Kovter activity in June, Damballa’s Threat Research team saw infections reached 43,713 on a single day. While we are still collecting comprehensive data for Q3, so far we have seen the peak daily infection count reach 59,589 unique infected victims in a single day, putting it 36% ahead of the peak count we saw in Q2.   

Given the ease with which threat actors can extort their victims, it’s safe to say that we haven’t seen the end of ransomware. If you or your users become a victim, use trusted sources and tools to remediate infections. Report computer-related crime to your local, state, federal or other authorities. Complaints can also be filed with the Internet Crime Complaint Center (IC3). A partnership between the FBI and the National White Collar Crime Center, IC3 can help determine which law enforcement agencies should be involved in the criminal investigation.

Brian Foster brings more than 25 years of successful product management and development experience to Damballa. Recently, he was SVP of product management for consumer security at McAfee, where he directed the strategy and development of consumer and mobile security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27986
PUBLISHED: 2020-10-28
** DISPUTED ** SonarQube 8.4.2.36762 allows remote attackers to discover cleartext SMTP, SVN, and GitLab credentials via the api/settings/values URI. NOTE: reportedly, the vendor's position is "it is the administrator's responsibility to configure it."
CVE-2020-27981
PUBLISHED: 2020-10-28
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III before 5.4.5 allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy...
CVE-2020-24707
PUBLISHED: 2020-10-28
Gophish before 0.11.0 allows the creation of CSV sheets that contain malicious content.
CVE-2020-24708
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via the Host field on the send profile form.
CVE-2020-24709
PUBLISHED: 2020-10-28
Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via a crafted landing page or email template.