Ransomware has been dominating the news for several weeks, and is likely to stay in the news for most of the year. Ransomware is a distinct type of cyber attack, in that it extorts payment from the victim in exchange for allowing access to something that was encrypted in the attack. The most prevalent type of malware used in this kind of crime is ‘crypto-ransomware', which normally encrypts the files on the compromised system, and then demands a ransom in return for the ability to decrypt and recover the files. The latest iteration of crypto-ransomware is called Locky, and is the most advanced version of ransomware we have seen in the wild.
In late February, several surprising admissions indicated the true scope of ransomware. First, a hospital in Los Angeles was hit and paid a whopping $17,000 to get critical medical files unlocked. Then, several police stations in Massachusetts all got infected and most spent thousands getting serious police records unlocked.
According to reports from ABC Australia (http://www.abc.net.au/news/2015-05-11/new-computer-ransomware-encrypts-files-asks-for-up-to-1000/6461606) a new crypto ransomware threat is circling Australian’s email inboxes.
You probably remember the Cryptolocker Trojan, as it is one of the scariest bits of malware we’ve seen in a while. Cryptolocker is ransomware that restricts access to a victim’s files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files. Read more about Cryptolocker in this blog post, http://blog.barracuda.com/2014/01/09/are-you-prepared-for-cryptolocker/
This latest version of Cryptolocker takes on the branding of the late, great, popular tv show, Breaking Bad. It uses the “Los Pollos Amigos” name, which is the restaurant that provided money laundering and was the base for other functions on the show.
The ransomware also links to a video that shows victims how to use bitcoin, which was likely included to help the victims pay the ransom. Researchers believe that the ransomware is spread via email, and downloaded through an infected zip attachment. Barracuda Email Security Service and Barracuda Spam Firewall customers are protected from these types of emails.
Ransomware a is particularly sinister attack, because it forces you to interact with the criminals in order to get access to your data. This particular version even includes the phrase “the one who knocks” in the email address, which is just insult added to injury for those who are familiar with Breaking Bad.
Most of you reading this blog are IT pros, so you already know how to deal with malware, and you’ve probably already heard of Cryptolocker. This Breaking Bad version gives you a good opportunity to revisit your Cryptolocker defense plan, including security software, your backups, and the overall state of your network. Are your users protected from malware, and ransomware in particular? Is there anything more you can do?
If you are battling a budget crunch and you need help selling the decision makers on solutions, consider adding Cryptolocker to your talking points:
- Even police departments and governments are paying the ransom
- Untraceable bitcoins are required for payment, meaning effective legal action and loss recovery are very unlikely
- There is a $100 make-your-own-Cryptolocker kit, opening the ransomware market to pretty much anyone. The Malware Must Die blog has an extensive and updated post on this here – http://malwaremustdie.blogspot.in/2014/01/threat-intelligence-new-locker-prison.html
- Cryptolocker designers are modifying their business model to remain an effective an active threat.
Additionally, consider adding the following Cryptolocker defense kit:
- User education on spam and phishing attacks
- Regular monitoring of the types of traffic on your network
- Regular backups that are kept off-site
- Proactive patch management
- Good antivirus software that can provide real-time scanning
We reported on another version of Cryptolocker a few months ago, here. https://barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/
Cryptolocker isn’t going away anytime soon. Secure your threat vectors, protect your data, and follow best practices, to ensure that you are not a victim.
Our research scientists behind Threatglass have found yet another compromised website, and this time it's a big one.
www.askmen.com is the world's foremost men's lifestyle magazine, with approximately 14,000,000 US readers each month. It's owned by Ziff Davis and has international versions in Australia, Canada, the Middle East, the United Kingdom in addition to the US.
Barracuda Labs recently discovered that AskMen was serving up a drive-by download that installs ransomware on the desktop. From the Barracuda Labs blog:
Yesterday (Sunday, July 6), as well as in June, May and April, AskMen’s website served visitors malware via drive-by download attacks that targeted vulnerabilities in various browser-related software components including IE, Flash, and the Java web plugin.
Yesterday (Sunday, July 6), as well as in June, May and April, AskMen's website served visitors malware via drive-by download attacks that targeted vulnerabilities in various browser-related software components including IE, Flash, and the Java web plugin. During the June incident, ransomware (a type of malware that denies the user access to their files or computer until a ransom is paid) was installed on visitors' computers. Given the need to coerce payment from its victims, ransomware is visually noisy, as indicated by the following screenshot taken at the end of a June 19 visit to AskMen[.]com.
The chain of redirects that began at AskMen's front page and ended with the installation of ransomware on visitors’ computers is as follows.
—> hxxp://bannertrackingstat[.]com/<redacted> (xMultiple)
In the above chain, the ec6155aa[.]pw domain is generated dynamically based off of the current date. Subsequent reverse engineering of the name generation algorithm and examination of domains for nearby dates revealed that the the drive-by download campaign lasted from June 18 to June 23. Additional details can be found on the following page.
Requests to asjdaydyaf[.]info corresponded to a site backed by the RIG Exploit Kit, which currently targets IE, Flash, Silverlight, and Java. In this instance, RIG yielded a malicious JAR file with relatively few AV detections. Successful exploitation resulted in the installation of CryptoWall, a type of ransomware that uses strong cryptography to hold the user's files hostage.
Visualizations of each AskMen[.]com drive-by download instance and the corresponding packet capture (PCAP) files for April, May, June and July are available via Threatglass.
UPDATE (July 9): Barracuda Labs has been corresponding with the AskMen website operators, who have indicated that they have discovered and resolved the security issue behind the incidents.
UPDATE (July 19): The AskMen website is again serving drive-by downloads, which suggests a vulnerability within its infrastructure or intrusion within its operators' organization.
One of the scariest bits of malware out there today is the Cryptolocker Trojan. Cryptolocker is ransomware that restricts access to the victim's files until the victim makes a payment to the criminal. Once the payment is made, the criminal may or may not release access to the files.
How does this happen? Cryptolocker starts out like most other malware: as a drive-by download or an email attachment. You're safest if you can stop it at this level. If you already have infected PCs and botnet soldiers on your network, Cryptolocker can be deployed to your network through those computers too. Again, much like any other piece of malware.