Macs Feel More Crypto-Locker Ransomware Love (InfoRiskToday)

Anti-Malware
,
Technology

Macs Feel More Crypto-Locker Ransomware Love
Fake Apps Haunt BitTorrent Networks, While Trump Locker is Venus in Disguise


February 24, 2017    

Macs Feel More Crypto-Locker Ransomware Love

Mac OS X ransomware in disguise. Image: ESET

Social engineering attacks can take many forms. One tried-and-true technique continues to be hiding malware inside fake versions of popular files, then distributing those fake versions via app stores.

See Also: The Cost of Social Engineering: 3.1 Billion Reasons to Pay Attention


Doing the same via peer-to-peer BitTorrent networks has also long been popular. But as with so many supposedly free versions of paid-for applications, users may get more than they bargained for.


To wit, last week researchers at security firm ESET spotted new ransomware – Filecoder.E – circulating via BitTorrent, disguised as a “patcher” that purports to allow Mac users to crack such applications as Adobe Premiere Pro CC and Microsoft Office 2016.


As Toronto-based security researcher Cheryl Biswas notes in a blog post: “For those who torrent, be careful. If you torrent on a Mac, be very careful.”


A BitTorrent listing for the ransomware. Source: ESET


ESET says the ransomware can also encrypt any Time Machine backups on network-connected volumes that are mounted at the time of the attack. If the ransomware infects a system, it demands 0.25 bitcoins – currently worth about $300 – for a decryption key. But ESET security researcher Marc-Etienne M.L Éveill&eacute, in a blog post, says the application is so poorly coded that there’s no way that a victim could ever obtain a decryption key.


So far, ESET reports that the single bitcoin wallet tied to the ransomware has received no payments.


“There is one big problem with this ransomware: it doesn’t have any code to communicate with any C&C server,” says Éveill&eacute, referring to a command-and-control server that might have been used to remotely control the infected endpoint. “This means that there is no way the key that was used to encrypt the files can be sent to the malware operators. This also means that there is no way for them to provide a way to decrypt a victim’s files.”


The longstanding ransomware-defense advice, of course, is to never pay ransoms, since this directly funds cybercrime groups’ ongoing research and development.


Instead, stay prepared: keep complete, disconnected backups of all systems, and periodically test that they can be restored, and thus never have to consider paying a ransom. “We advise that victims never pay the ransom when hit by ransomware,” Éveill&eacute says.


Trump Locker: Venus in Disguise


The splash screen for Trump Locker, which displays briefly before bringing up a ransom note. Source: Bleeping Computer.


In other ransomware news, new ransomware known as Trump Locker – not to be confused with Trumpcryption – turns out to be a lightly repackaged version of VenusLocker ransomware, according to Lawrence Abrams of security analysis site Bleeping Computer, as well as the researchers known as MalwareHunter Team.


“Unfortunately, you are hacked,” the start of the malware’s ransom demand reportedly reads.


VenusLocker first appeared in October 2016, and got a refresh two months later.


The researchers don’t know if the same group is distributing Trump Locker as distributed VenusLocker, or if another group of attackers reverse-engineered the code, but they say that functionally both appear to be virtually identical, Bleeping Computer reports. For example, both Trump Locker and VenusLocker will encrypt some files types in full, while only encrypting the first 1024 bytes of other file types, including PDF, XLS, DOCX, and MP3 file formats.


Fully encrypted files have “.TheTrumpLockerf” appended to their filename, while partially encrypted files get a “.TheTrumpLockerp” extension added, the researchers say.


Ban the Bitcoin?


Finally, ransomware gangs’ use of customer service portals – to help and encourage victims to pay their ransoms – continues, says Mikko Hypponen, chief research officer of Finnish security firm F-Secure. One chief function of this support appears to be to help victims who don’t know their Windows from their ASP to find a way to remit bitcoins to attackers, according to research into crypto-ransomware called Spora and its related customer-support operation, conducted by F-Secure’s Sean Sullivan.



“A great deal of the chat support issues revolve around one thing: bitcoin,” Sullivan says. “In the past, cybercrime schemes – such as scareware – have been killed off by disrupting the money supply. The same may well be true of cyber extortion; to kill the business model, it may be necessary to ban bitcoin.”


The research is contained in a new 2017 State of Cyber Security report from F-Secure that also includes a stunning display of the history of ransomware in the form of a London Tube map.



Source: F-Secure

Source: SANS ISC SecNewsFeed @ February 24, 2017 at 06:48AM

0
Share