A day or two ago, our friends at Symantec released a blog post about the growing success of "ransomware". (They also have a whitepaper here, and a nice gallery of screenshots of several variations here.)
Briefly, ransomware is malware that either locks up a computer, or encrypts data files, and then offers to restore access once a fine/ransom is paid. Traditionally, it's been more of a problem in Europe (especially Eastern Europe) than elsewhere, probably due to the variety of e-payment mechanisms available to the cybercriminals there. It also has a long history of impersonating various police-type organizations, depending on which country the victim lives in. (And, we should also note that it's foolish to expect the Bad Guys to play nice and actually unlock someone's computer once they've got their money.)
Recently, however, the Bad Guys are figuring out ways to extract money from American victims, and so this type of malware is showing up more often on this side of the Atlantic. (Visa and Mastercard are problematic for the Bad Guys to use for any extended period of time, as they have to find a bank to process the transactions, and that's hard to do, since fraudulent and criminal activity brings too much scrutiny.)
Coincidentally, Jeff had sent out an e-mail to the malware team on Tuesday showing a ransomware example he'd found that had locked up one of his malware analysis computers:
The malware did a pretty thorough job of it — no obvious way to bypass the lock and remove it; no Explorer, no Task Manager, etc. So he flagged the site as Malware, dumped the locked-up VM, and moved on to other work. (Don't try this at home, kids!)
The malware sample had very low detection rates (2 hits in VirusTotal on Tuesday, which had climbed to 5 detections on Wednesday). It was also not detected by the heuristics in at least one sandbox.
In operation, the EXE unpacks itself into another executable, which removes the first one from disk, and then tries to establish a connection with its controller. If it's unsuccessful, it takes no action, but if it can make contact, it proceeds to lock the computer.
So it's nasty stuff, but the good news is that WebPulse has been pretty successful at detecting the nastiness. The site that Jeff collected his sample from was namstat325.org. When I checked the logs, I found that this was one of 19 sibling sites that had been serving the malware for the last couple of weeks. (This attack began on Oct. 19th, initially with rather low levels, but it jumped about a week ago.)
The logs show 153 requests for the payload (which goes by a variety of file names), all of which were flagged as Suspicious in real time by WebPulse's "Shady EXE Detector".
If you look closely at the screenshot, you may note that it's essentially accusing Jeff of either pirating software or viewing child pornography. Symantec notes that one of the common infection vectors for ransomware is via drive-by downloads from porn sites, and one of the social engineering pressures that makes this sort of attack effective is that the victim may be too embarrassed to seek help.
Blue Coat has long recommended that our customers block Pornography as a high-risk category for security, as the Bad Guys have long known that it's an effective bait. (We should also mention that one of our internal reports is a list of "popular sites" — from the top ten thousand or so highest traffic sites in the world — that are showing up in our logs as referring a lot of visitors to malware. In nearly every such report we've seen, at least half of the sites listed are porn sites.)
–C.L. & J.D.
Leave a reply