Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/13/2015
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Hackers Breaking New Ground With Ransomware

The tools and tactics being used to go after victims reveal growing sophistication, and gamers need to look out, security researchers say.

The enormous success which hackers have had extracting millions of dollars from individuals and businesses using ransomware appears to be driving more sophisticated tools and tactics from them.

This week researchers sounded the alert on two recent ransomware families that break ground in different ways.

One of them dubbed Virlock is noteworthy because it not only locks the screen of compromised systems like other ransomware, but also infects files on the device. First noticed by security firm ESET in December, Virlock is also polymorphic, meaning the code changes every time it runs making it hard to detect using standard malware detection tools.

In an alert on Friday, security firm Trend Micro described Virlock as the first ransomware that includes file infection in its routine. Unlike most ransomware, which are distributed via botnets and phishing emails, Virlock spreads via infected files, the security firm said.

“Virlock variants may arrive bundled with other malware in infected computers,” Trend Micro security researchers Jaaziel Carlos, Jonh Chua, and Rodwin Fuentes said in their blog.

Once on a system, the malware creates and modifies registry entries to obfuscate itself and then locks the screen and disables several critical functions on the compromised system. Virlock checks for specific file types on the infected system, including executable files and document types such as “.doc”, “.xls” and “.pdf”. It also looks for archive files like “.zip” audio and video files with extensions like “.mp3” and image files such as “.jpg” and “.gif.”

After Virlock locates such files it encrypt them and then embeds them in the body of the malware itself, the researchers said. Infected systems can be hard to clean and even a single infected file that remains undetected in a system can cause the malware to respawn the infection all over again.

“Once Virlock gets into a system network, it will be all over the place; it can infect a whole network system without notice,” the researchers said.

The other ransomware family that has attracted the attention of security researchers because it is different is, TeslaCrypt, a tool that is, for the first time, being used to go after video gamers, specifically. Operationally, the malware is similar to other ransomware, in that it encrypts data on the victim’s computer and then demands a ransom to unlock it.

But by targeting gamers, hackers are increasing what is already a huge target base for ransomware campaigns, Vadim Kotov, a security researcher at Bromium said in a blog post Thursday.

Bromium’s research has shown that data files for more than 20 games are affected by the threat, including Call of Duty, Star Craft 2, Diablo, Minecraft, and online games like World of Warcraft.

“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminals target new niches,” Kotov wrote.

Richard Blech, CEO of Secure Channels, says threats like these showcase the growing sophistication of the ransomware tools and tactics used by hackers to go after potential targets.

“What’s going on is that this is the new mainstream,” Blech says. “This isn’t some script kiddie in the basement,” targeting people with malware tools.  Increasingly, it is the highly sophisticated criminal groups using sophisticated tools that are behind major ransomware campaigns.

Perimeter defense tools like antivirus and anti spam products can help alleviate the threat somewhat by detecting and blocking ransomware where possible. But ultimately a lot of onus for dealing with the threat falls on the user. In most cases, ransomware tools end up getting installed on a system as the direct result of a user action, like clicking on a link in a phishing email. 

“Someone has to do something,” to trigger ransomware in most cases. “There is a human factor,” Blech said.

Keeping files backed up is the best way to mitigate the threat posed by ransomware, Blech said. That way, even if data gets locked up or encrypted, it is easy to retrieve a backup copy.

“Be also careful with your DropBox (or other cloud services). If you have folders synchronized with an online storage – malware will get to them too.” Kotov said in his blog post.

Andrew Brandt, senior threat researcher at Blue Coat Systems said ransomware has become a growing threat not just because of how it is distributed but also because it’s ability to destroy data has evolved dramatically.

Small businesses and governments in particular have reason to be concerned about the trend, Brandt said in emailed comments to Dark Reading. “Small business and local government agencies are most likely, out of the panoply of potential commercial or enterprise victims, to lack any kind of integrated IT security infrastructure,” he said.

Dealing with ransomware requires the same kind of rigor as dealing with any malware he said. Machines or instance, need to be kept up to date, and software needs to be properly patched and updated.

“Networks on which these computers operate can be proxied through devices that prohibit communications with known-bad network addresses,” he said. “And the end users themselves need to be a little less credulous and treat email with greater care and a degree of mistrust.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/16/2015 | 8:29:35 PM
Re: Worry
Ransomware is bad for sure.  Offline backups are the last line of defense:  put important files on CDs, flash or external drive, and unplug the device when not in use.

I have been trying to find out ways to prevent this.  There is scant and conflicting evidence on a couple of sites.  One site says it does not self-propogate between systems over the internet.  It needs another program to send it, like a Trojan.  I was also reading the infection rate is low so far. 

Defense against ransomware in general:

1. Don't click on links in emails unless you expect that particular email, such as a confirmation to create an account.

2. Backup important data.

Another defense against most ransomware is antivirus software.  However, as stated in this article, this particular one evades antivirus by changing itself every time it's copied, making it harder to detect.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/16/2015 | 6:57:34 AM
Worry
Ransomware is just about the only piece of malware that worries me. The rest of it, at worst, I need to format my system and although there is the potential to lose some data or important information, chances are it can be recovered or the problems mitigated. When it comes to randomsware though, chances are your files are gone for good, as there is no guarantee that whoever you pay will unlock them for you, even if you do pay.

I have a pretty good system for back ups, but I would be mortified if I lose all of my personal pictures and memories. 
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.