KnowBe4 CEO Stu Sjouwerman issued an alert today warning computer users of a new but very nasty ransomware named CryptoDefense. A copycat competitor to CryptoLocker, CryptoDefense was released in late February, 2014 and is much worse than the original. The ransomware targets text, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key which is hard to undo. It also wipes out Shadow Copies which are used by many backup programs.
The potential for damage is vast, generating tens of thousands per month, according to reports from Symantec. If an end-user opens the infected attachment, the ransomware encrypts its target files, and the criminals charge $500 in Bitcoin to decrypt the files. If their four-day deadline passes by, the amount goes up to $1,000. After a month, the keys are destroyed.
“There is furious competition between cybergangs,” said Sjouwerman (pronounced ‘shower-man’). “They did their test-marketing in countries like the UK, Canada and Australia and are now targeting the US.” Sjouwerman further stated, “CryptoDefense doesn’t seem to be a derivative of CryptoLocker as the code is completely different, confirming this is a competing criminal gang.”
It appears that this infection initiallywas installed through programs that pretend to be flash updates or video players required to view an online video. Then it moved on to a variety of different phishing attacks that show an email with a zip file directing to “open the attached document” that was supposed to have been “scanned and sent to you”.
According to Sjouwerman, “It is obvious that this is a social engineering ploy and that effective security awareness training will prevent someone from opening these infected attachments when they make it through the filters (which they regularly do). Training your end-users to prevent fires like this is a must these days. Once infected, the only way to fix this relatively fast is to make sure you have a recent backup of the files which actually can be restored. Even then, it can take several hours to restore the data.”
Recent ransomware infections were users opening an attachment with a “voice mail message” from AT&T, but there are variants from other Telco companies. Users then admit to opening the attachment but saying it did nothing, however they could not open their files afterward.
This new CryptoDefense ransomwareMalware has bugs too, and Symantec researchers stated : “Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape”. But by the time you read this, that bug has probably (and unfortunately) been fixed.
About Stu Sjouwerman and KnowBe4:
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malwaresoftware company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced securityawarenesstraining. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
To learn more visit www.knowbe4.com
To prevent being “ransomwared” go to Don’t Get Hit with Ransomware