Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Big Week For Ransomware

Inventive new variants and damaging attacks swept through the headlines this week.

What a week for ransomware. The bullish code that extorts users by locking or encrypting their files and devices has made headlines all week. In case you missed it, here's a roundup.

Israeli Electric Authority

While more information was emerging about the December attack on the electric grid in Ukraine, the Israeli energy sector tried to get in on the action, reporting an attack at the Israel Electric Authority.

Yet, the initial excitement abated when it turned out that the event was a far cry from a major blackout. According to Rob Lee of the SANS Institute, The Israel Electric Authority is just a regulatory body, and the attack was simply a ransomware infection affecting some of their 30 employees.

Lincolnshire County Council

The Register reports that a local government agency in the United Kingdom has fallen victim to a ransomware attack so widespread that it's shut the whole place down.

The unnamed ransomware took root in a computer of the Lincolnshire County Council -- which manages local services like libraries, roads, childcare, adult care, education, and vital records -- after a staff member opened a malicious email attachment.

After getting that foothoold, the malware spread and took over 300 computers. The Council told The Register their systems may not be up again until next week.

Faking SalesForce

Meanwhile, Heimdal Security has found the CryptoWall 4.0 ransomware running a new sophisticated new campaign that ships out phishing messages that appear to come from customer relationship management software giant SalesForce.

The messages use a variety of subject headings that often include the recipient's name and reference "invoices" or "contract confirmations." The payload is delivered via malicious attachments.

Heimdal researchers wrote about the CryptoWall team's history of rapidly rolling out new variants. Although version 4.0 just hit the scene in November, Heimdal posits that Cryptowall 5.0 is just around the corner, and may appear as soon as March.

New Android Ransomware

Symantec unearthed an inventive new strain of Android ransomware that uses a twist on clickjacking to trick users into executing. Lockdroid.E can both encrypt all a victim's files on the device and take full administrative control of the Android device. 

Lockdroid poses as a porn app (only available on third-party stores, not the official Google Play shop). The app tells the user it is installing a package -- displaying a message that states "please wait, unpacking the components" -- while it's actually busy encrypting all your files while you wait.

When it's done with that part of its nefarious work, Lockdroid displays a screen informing the user that the installation is complete and instructs them to click the "continue" button. Little does the user know that the screen they see is just an image overlay, and the button they're actually clicking is to "activate" the NastyDevAdmin application that gives the attacker authority to lock the screen, change the PIN, and delete files.

Symantec says nearly 67 percent of Android devices are at risk to this threat.

A Greedy New Brand

Bleeping Computer spotted another new piece of kit that breaks the usual ransomware business model. Normally, operators go for volume, distributing their code widely and setting their ransom in the modest $300 range, though Cryptowall 4.0 upped the ante to $700.

The 7ev3n ransomware has gone a different direction. So far only one victim has been seen and the demand is a payoff of 13 Bitcoin, or about $5,000.

That's not the only way 7ev3n is unique. Although the infection at the solitary victim organization spread to multiple endpoints, the initial infection was in a server, not a client device. Plus, it combines both old-school ransomware and crypto-ransomware tactics -- encrypting files and locking the entire device.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/2/2016 | 8:55:14 AM
Re: Remote Backup
This is indeed true. I have seen it happen and affect network shares. This is good reason to have a properly configured and tested ACL in place. Users should not have full access to all directories on the shares. This is a common configuration error made by many System Administrators. Access should be granted only to ones department to perform their job function. A full permissions audit should be made on a regular basis. 

As I have previously stated in other posts. If you encrypt your backups wheither locally or remote, they are not vulnerable to this attack.
Sara Peters
Sara Peters,
User Rank: Author
2/1/2016 | 12:22:37 PM
Re: Remote Backup
 @RyanSepe  CryptoLocker could encrypt your network drives back in its day. Fortunately, some researchers say that at least some ransomware is full of lies -- it threatens things it can't actually do.
User Rank: Ninja
1/31/2016 | 11:18:09 PM
Remote Backup
If Ransomware has taught me anything, its how important remote backups are....always backup your data. If you are in a corporate environment make sure that your data is saved to regularly backed up network drives instead of locally. Although I have heard CryptoWall 4.0 can encrypt network drives, not sure if that has been proven true.
User Rank: Ninja
1/31/2016 | 11:16:01 PM
Hidden Tear
There has been a hidden tear copycat ransomware that has emerged recently that even when payment is received the decryption key provided does not have the ability to decrypt the data. This is not due to malicious intent but rather an genuine error on the side of the attacker. I think its a .b series.
User Rank: Ninja
1/29/2016 | 11:31:00 PM
7ev3n a Good Reminder
Bleeping Computer did a nice rundown on 7ev3n.  It's a great reminder that not all ransomware is the same, and that sometimes - at least until someone cracks the encryption model - you either have to bite the bullet and pay to get your information unlocked, or just "let it go".  Curious, though, who wrote 7ev3n and whether they're behind other ransomware out there we already know about.   
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.