Ransomware Timeline: Top Stories September 2017
There is no excuse for extortion in any of its forms. Cybercriminals, however, don’t seem to care as they keep spewing out new ransomware samples day by day. The blackmail malware landscape was relatively calm in September, with some scattershot bursts occurring once in a while. The Locky ransomware got updated with the Ykcol edition; a destructive data wiper called RedBoot surfaced; the GlobeImposter family continued to inflate the e-extortion ecosystem with its lookalike variants; and thousands of MongoDB servers got ransomed the second time during the year. Read the September chronicle below to learn more.
Sept. 1, 2017
The distributors of the Locky ransomware start leveraging a clever anti-sandboxing trick. The contamination process won’t start once a would-be victim opens a booby-trapped Word document attached to a malspam email. Instead, the payload is downloaded and executed when the user closes the toxic attachment. The use of run-on-close macros allows the infection to slip under the radar of some AV tools.
Sept. 1, 2017
CryptoMix, one of the most widespread ransomware families around, expands with a new variant. The infection now scrambles filenames by replacing them with 32 hexadecimal characters and appends each one with the .arena extension. The rescue note is named _HELP_INSTRUCTION.txt.
Sept. 4, 2017
More than 26,000 MongoDB databases around the world get hijacked in another massive wave of blackmail targeting web servers. The crooks demand 0.5 Bitcoin per server. This campaign zeroes in on online-accessible databases using default login credentials. A series of similar incursions hit 27,000 MongoDB installs in January 2017.
Sept. 5, 2017
A new ransomware strain called SynAck starts making the rounds. It targets businesses, for the most part, infiltrating their networks via hacked remote desktop services. The culprit concatenates a random 10-character extension to every hostage file. The size of the ransom is $2,100 worth of Bitcoin.
Sept. 6, 2017
New ransomware called Hacked attempts to be multinational. The malware in question adds the .hacked extension to all files, presenting its name. Hacked virus comes with a GUI that has clickable tabs in English and Italian. The perpetrating application requests $2,000 and offers a short deadline of three days.
Sept. 7, 2017
Security analysts spot a GlobeImposter ransomware variant whose payload file has a valid digital signature issued by Comodo certificate authority. This particular iteration subjoins the .f41o1 string to encoded files and uses a ransom how-to manual named READ_IT.html. Interestingly, the certificate was revoked the same day.
Sept. 8, 2017
DilmaLocker baddie discovered. This file-encrypting malware specializes in Portuguese-speaking victims. It marks ransomed data files with the ._dilmaV1 extension and gives you restoration tips with the help of a text guide called} RECUPERE_SEUS_ARQUIVOS.html.
Sept. 9, 2017
The new ransomware named ApolloLocker focuses on Turkish users and brings a lot more harm than just data encryption. It includes a data theft component, putting the victim’s personal and bank info at risk. The ransomware makes use of very common .locked extension to mark encrypted files and creates ransom notes labeled http://ift.tt/2yJyOew.
Sept. 11, 2017
A couple of fresh editions of the Jigsaw ransomware appear in quick succession, namely within one day. They mainly target Polish-speaking users, set a scary desktop background featuring an image of the Grim Reaper, and append ransomed files with the .pabluk300CrYpT! or .pablukCRYPT suffix. Both are decryptable for free.
Sept. 12, 2017
The above-mentioned GlobeImposter ransom Trojan is gearing up for a rise. Its newest version uses a U.S. President theme for its filename tweaking routine. Specifically, it concatenates the .reaGAN extension to encrypted files and coerces infected users to contact Ronald_Reagan@derpymail.org for recovery steps.
Sept. 13, 2017
Researchers discover a new Ransomware-as-a-Service (RaaS) platform designed to distribute a data-encrypting infection ironically called Paradise. This perpetrating program applies RSA encryption algorithm to deny access to victims’ files, appending them with the .[info@decrypt.ws].paradise string.
Sept. 18, 2017
A new iteration of the Locky ransomware takes root. Its developers have added some play on words to their campaign – the variant in question subjoins the .ykcol extension to targeted files, which is a backward spelling of the blackmail Trojan’s name. The malicious payload still arrives via spam generated by the Necurs botnet.
Sept. 20, 2017
According to Flashpoint, a company providing business risk intelligence solutions, threat actors representing Eastern European cybercriminal underground are confronted with a dilemma regarding ransomware distribution. Some of the felons argue that ransomware slows down the progress of other malware types and attracts superfluous attention from the law enforcement.
Sept. 21, 2017
A file-encrypting virus called CyberDrill_2 is released. Upon closer scrutiny, it turns out to be a spinoff of Hidden Tear, a controversial proof-of-concept ransomware project originally tailored for educational purposes. The sample adds the .cyberdrill extension to encrypted files and extorts a whopping 5 Bitcoin (about $23,800) for decryption.
Sept. 22, 2017
The Ykcol edition of the Locky culprit is proliferating via multiple spam campaigns operated by six different ‘affiliate’ crews. Some of the social engineering themes used for these rogue emails are as follows: status of an invoice, Herbalife order number, and new voice message in the mailbox.
Sept. 22, 2017
InfinityLock, yet another ransom malware on record, stands out from the rest due to a very special intimidation technique it leverages. Having encrypted one’s valuable data, the infection displays a counterfeit Command Prompt window mimicking a remote hacker typing different commands. Such an animation trick is an entirely new thing for the ransomware ecosystem.
Sept. 23, 2017
Pretty much everyone is familiar with the NotPetya ransomware that did so much damage to organizations and home users in June 2017. A brand-new strain called RedBoot appears to follow suit. It skews the Master Boot Record of a plagued computer, then damages partition table and encrypts the victim’s files without providing a recovery option that works.
Sept. 25, 2017
A blackmail Trojan called nRansom imposes an unthinkable deal that doesn’t presuppose payment. According to its ransom note, a victim needs to send 20 nude pictures of themselves in order to get their data back. That’s just part of the whole insanity, though. Another demand is to record a video of the user killing 10 people and send it to the crooks. Well, that’s not even funny. Ultimately, there is no way for an infected user to decrypt hostage files.
Overall, the unscrupulous architects of ransomware campaigns didn’t do anything revolutionary in September. However, this might well be a lull before the storm. Stay tuned for the next timeline to learn which way the e-extortion industry is heading.
David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
from WordPress http://ift.tt/2yWNAjA
via IFTTT
Σχόλια
Δημοσίευση σχολίου