Resume Ransomware: GoldenEye targets hiring managers, recruiters and HR

People charged with filling career positions at their companies need to be on the lookout for ransomware—especially GoldenEye ransomware.

GoldenEye is a new form ransomware written by the same cybercriminal who gave us the Petya and Mischa ransomware attacks. The author has applied some of the same distribution tactics that Petya and Mischa are known for by masking the ransomware as a job application. GoldenEye attacks typically begin with an email that appears to be from someone interested in a position. The inboxes of human resource personnel and hiring managers are often swamped with emails from potential candidates. As a result, very little time may be spent reviewing each email. Instead, recruiters and HR managers open the attachments and quickly screen resumes or cover letters to determine if the applicant is qualified for the position. GoldenEye takes advantage of this behavior. GoldenEye is currently targeting potential victims in German-speaking countries, but that could change at any moment.

GoldenEye emails include two attachments; a PDF cover letter and an Excel spreadsheet with a file name that includes the phony applicant’s last name, a dash and the word “application” in German. The cover letter looks entirely legitimate. The cover letter has an introductory statement, photograph and then states that the Excel file contains references and results from an aptitude test. The PDF attachment does not include any malicious code but the presence of a well-written cover letter aids in convincing the victim to open the second attachment, an Excel file.

The Excel file contains the ransomware as a macro. The file displays a flower logo that appears to be loading something. Microsoft Office blocks the macro unless macros have been enabled by the victim. Victims are enticed to enable the macros so that the loading screen will disappear to display the resume content. However, once enabled by the victim, the macro will save code into an executable file in the victim’s temp directory and then launch the ransomware. The program encrypts files and displays a ransom message. However, after the initial ransom message is displayed, GoldenEye restarts the machine and encrypts the Master File Table (MFT) and replaces it with a custom boot loader that shows the ransom message upon computer startup.

GoldenEye essentially performs the file encryption activities of Mischa and then restarts to perform the MFG encryption activity of Petya. Both encryption methods have been improved, and decryption methods for Petya and Mischa will not work on GoldenEye.

GoldenEye’s ransom message instructs victims go to a URL on the dark web to obtain their decryption key. Victims will need the decryption code presented in the ransom message to pay the ransom.

Be careful when opening any attachments from an unknown person and ensure you have a backup of critical files so that GoldenEye does not claim a ransom from you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

PopcornTime offers victims a choice: Pay the ransom or infect your friends

PopcornTime is a newly-discovered form or ransomware that is still in the development stages but operates off a disturbing principle: Victims who have their files encrypted by PopcornTime can agree to pay the ransom, or they can choose to send the ransomware to friends. If two or more of those friends become infected and pay the ransom, the original victim gets their files decrypted for free.

The process is reminiscent of the movie, “The Ring,” where victims who had watched a film had seven days to make a copy of a killer movie, or they would die.

Researchers on the MalwareHunterTeam discovered PopcornTime, which shouldn’t be confused with another application with the same name that is used for streaming and downloading movie torrents.

PopcornTime is also similar to the chain emails or chain letters of days past, where the recipient is told to forward the communication or bad things will happen. The key difference between PopcornTime and chain emails is that with the latter, there’s usually no teeth behind the threats. Most chain emails and letters are proven to be hoaxes. With PopcornTime, the looming threat to your data is real.

PopcornTime is still in development so the final version could differ from what MalwareHunterTeam discovered.

A third choice that makes better sense
It’s worth mentioning that if your files are properly backed up, PopcornTime can’t make you do anything. You can simply delete all infected files, remove the virus from your computer, and download clean versions of your files from backup. Don’t let the criminals coerce you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

New version of Cerber ransomware hits businesses where it hurts

The latest version of Cerber ransomware is targeting database applications and putting business’s most valuable data at risk, according to recent reports.

Large database applications such as Oracle, Microsoft SQL Server, MySQL and others contain critical data for things like Enterprise Resource Planning (ERP), Customer Relationship Management (CRM) and Electronic Medical Record system. And the latest version is aiming to encrypt all of them in addition to documents, spreadsheets and multimedia files.

How Cerber ransomware works
Ransomware victims are not chosen on an individual basis. Instead, they’re usually found within a pool of available targets organized by country, region or industry. This semi-targeted approach is often used to ensure that as many targets as possible have the means to pay the ransom, either because they live in regions with a high median income, or they work in industries that are known to pay up. Cybercriminals like those spreading the new version of Cerber may also target databases—where many businesses’ store their most important information.

Once Cerber infects a system, it checks to see if it is in a target country. It targets all countries except for Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan. Cerber then places a copy of itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ directory using a randomly generated executable name. Cerber then prepares to encrypt files by escalating its privileges through a UAC bypass using DLL hijacking. Cerber needs escalated privileges in order to stop certain services that, if running, would disrupt the process of database encryption.

Database files are usually written to and changed frequently, and database software typically keeps the files open so that data in memory can be flushed down to the files and applications rapidly. Data corruption can occur if the files are tampered with while they are open and criminals would lose the confidence of their victims if they were unable to decrypt files after the ransom was paid so they stop the services first.

Here are the databases that Cerber encrypts as well as the processes that it terminates. If you are running these processes and they stop unexpectedly, this could be a sign of Cerber infection. Each of the processes below is a Microsoft Windows executable. Cerber ransomware currently affects databases running on Windows only.

Database Process
Citrix MetaFrame encsvc.exe
Microsoft SQL Server msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe
Mozilla Firefox firefoxconfig.exe
Mozilla Thunderbird tbirdconfig.exe
MySQL mysqld.exe, mysqld-nt.exe, mysqld-opt.exe
Oracle agntsvc.exe, agntsvc.exeisqlplussvc.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, dbsnmp.exe, isqlplussvc.exe, mydesktopservice.exe, mydesktopqos.exe, oracle.exe, ocssd.exe, ocautoupds.exe, ocomm.exe, synctime.exe, xfssvccon.exe
Red Gate Software’s SQL Backup Pro sqbcoreservice.exe

Decryption keys were made available for earlier versions of Cerber, but they were removed when newer versions of Cerber came out. A high-quality database backup is crucial for recovering from an encrypted database. Since enterprise database systems change frequently as new transactions occur, backup systems are often continuous, or scheduled at very short intervals, so that little or no data is lost when failures occur. It’s also important to test the restore process regularly to ensure that all relevant data is captured and that the data can be recovered in a reasonable time frame.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Ransomware Incident Response: 7 steps to success

Ransomware infections are becoming increasingly commonplace, and companies that put a plan together before an incident are much more effective at combatting this pervasive malware.

Ransomware response can be broken down into seven steps. Here’s a cheat sheet:

Validate
The first step is to confirm whether a reported ransomware infection is an actual infection. There are cases where a user reports what they think is ransomware, but it turns out to be adware, phishing, or some other virus. Validation is important because it keeps efforts focused on important issues. But if you see a ransomware note demanding payment to unlock files, and your system or files are locked or frozen, then you’ve been hit.

Assemble
Now it’s time for the incident response team to assemble. Incident response teams often include members of your IT staff, management, public relations, and legal. The incident response plan outlines how each member should be trained on how to respond to a ransomware incident. In some cases, the primary person may be unavailable, and it will be necessary to call in a secondary resource to handle that role.

Analyze
The next step is to determine the scope of the incident, including which networks, applications and systems are impacted and whether the ransomware continues to spread. This is often the role of the IT and security point people.

Contain
Containment actions can take place concurrently with analysis activities. In this phase, infected machines are isolated to stop the spread of the ransomware by disconnecting the computers from the network or shutting them down. The scope often changes when containment is underway, and ransomware is still spreading. This phase ends when all infected machines have been isolated from clean machines.

Investigate
The investigation starts by preserving evidence. Some machines will need to be returned to service as soon as possible while others might be less critical. Evidence such as log files or system images is taken of the affected machines along with documentation of serial numbers and asset identifiers.

Eradicate
The eradication phase removes the ransomware from machines and brings them back into a functioning state. Isolated machines are wiped, and then data is restored from backupto each of the machines after the evidence on the computers has been preserved. In some cases, organizations may decide to remove the ransomware and then restore files that were encrypted by the ransomware without wiping the device first.

A full machine restoration prevents other ransomware or malware from causing problems on the computer, and it also prevents backdoors or other software that the ransomware might have installed from being used to infect the machine later. For this reason, it is typically recommended that you wipe the device and restore the operating system and data from backup.

Remediate
The last step is to remediate the problem that the ransomware exploited in the first place. This is often a user training issue, so companies implement more awareness training or coaching of individuals. In other cases, new technology needs to be put in place. If backups were found to be inadequate, the company would back up more data or back up more often. The ransomware incident should result in some improvement actions that the organization can perform to be better prepared for future incidents.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Mamba ransomware takes a bigger bite out of your data

As if encrypting your individual files was not enough, a recently discovered ransomware virus called Mamba encrypts your entire hard drive.

This may sound similar to the Peyta drive encryption ransomware that made headlines earlier this year. But Mamba is a different animal. It differs from Peyta in that it encrypts the entire hard drive while Peyta encrypts only the Master File Table (MFT), the information store that tracks which files are on the drive and where they are located. With Peyta, forensics can recover the data from the drive since the data itself is not impacted. There is also a password generator tool for Peyta that can be used to decrypt the MFT. There is currently no easy fix for the sneaky snake known as Mamba.

Mamba starts by overwriting the Master Boot Record (MBR), the program that tells your computer where to find the files to start your operating system. Mamba’s custom MBR tells the computer to load a ransom demand instead of the operating system when the machine restarts. The ransom demand reads as follows:

You are Hacked! H.D.D. Encrypted, Contact Us For Decryption Key (w889901665@yandex.com) YOURID: 987654

Mamba encrypts the hard drive as well as other mounted drives such as USB flash drives using an AES-256 compatible open source full-disk encryption program called DiskCryptor.  Mamba is primarily distributed through phishing emails, but that could change as Mamba distribution grows. The ransomware currently targets only Microsoft Windows machines of any variety including Windows XP, Windows 7 and Windows 10.

What to do if you’re attacked with Mamba

If your computer is infected with Mamba, your first recovery step is to restore from backup. Mamba encrypts the entire drive so victims will be unable to access the files or operating system without the decryption key. This means that the operating system and all files will need to be restored from backup.

With most ransomware, you have the option of restoring just the files or folders that were encrypted, or the entire machine. The recommended approach is to restore the whole computer, but some cases require the that the device be put back into service as quickly as possible, so a file restore is performed. There is no such choice with Mamba.

There are two options when restoring the system, based on what data is available to restore. Victims with a full system backup can restore the entire system backup to the machine in a single operation. If a full system backup is not available, victims will need to install the operating system and programs and then restore the data. The second option takes more time to perform, and it requires that the user knows which applications were installed on the system, but it will bring the system to a fully functional state with applications and data in the end.

Take the time now to ensure that you have adequate backups so that you can restore your system in case you encounter full-disk encryption ransomware like Mamba. Consider which restore strategy would be ideal for your company, and how much time your employees can go without access to their computers or data. Then craft a backup strategy that meets your recovery expectations.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today

The Economics of Extortion: Understanding the ransomware market

We all know money is the motivating force behind cybercrimes like the creation and distribution of ransomware. The interesting twist with ransomware is that the basic rules of supply and demand become a little hard to follow. Typically you have a buyer and a seller. In the case of ransomware, the distributor—or supplier—has to steal what’s in demand—your data.

Cybercriminals create the demand by restricting access. Victims realize they need access and­—if they cannot get access themselves by restoring critical files from backup—they end up paying the ransom and fueling this economy. This applies to online consumers, small business owners, and CEOs—they have all paid to retrieve data.

It’s interesting to consider the ransomware economy in the following five segments:

1) Investment 

Cybercriminals leasing ransomware can obtain it for as little as $39 and as high as $3,000 depending on which type is purchased. They must then distribute it. Distribution costs include time spent creating and sending emails. According to Trustwave, an IT security team that spent time trying to dissect the ransomware economy, it would cost about $2,500 to spread 2,000 ransomware infections once you factor in the time to send emails and compromise sites.

2) Pricing 

Ransom demands in the United States have been known to be several hundred dollars higher than the same ransomware in Mexico or other countries with lower median incomes than the U.S. Ransomware authors have researched regions and incomes—and they understand that they can only charge what the market will bear. Ransomware authors also consider the bitcoin exchange rate when determining the ransom demand. This helps cyber criminals set a ransom that victims can afford to pay regardless of which country they’re from. In the U.S., the average ask is between $300 and $500, according to many industry sources.

3) Target market 

The target market for ransomware consists of consumers and companies that retain important or business-critical information and have the ability to pay the ransom. Unfortunately, these people also typically aren’t adhering to IT security best practices. Hospitals and other healthcare organizations are a popular target for cybercriminals because of the pressure to pay up quickly, rather than risk patient health.

4) Revenue 

Estimates as to how much has been paid in ransom tend to be conservative because many payments are undisclosed. That said, The U.S. Departments of Justice Internet Crime Complaint Center received reports of ransom payments totaling $24 million in 2015. And in July 2016, ransom payments for Cerber ransomware alone totaled $195,000 for the month. But the market is growing exponentially, and the FBI has said ransomware costs could total $1billion this year.

5) Competition 

The relatively low barrier to entry has resulted in fierce competition among cyber criminals. Some ransomware authors and cyber-extortionists have even adopted higher levels of professionalism to make it easier for victims to pay up. And, in an interesting angle to the supplier side, ransomware kits are easily available and come with simple instructions, meaning that distributors can sell ransomware to new, smaller distributors—as long as they are guaranteed a piece of the profits.

The ransomware economy is booming and returns are high. That means you can expect the number of ransomware attacks to continue rising. Protect yourself by having adequate backups in place before a ransomware attack occurs. Test your backups to ensure that the right data is being protected and can be restored in satisfactory time frames. Also, ensure that a backup copy is kept in a different location from production data so that ransomware does not infect both at the same time.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Pokemon Go ransomware virus is out to catch’em all

A Pokemon Go-themed ransomware virus has appeared on Windows computers, tablets, and phones. The ransomware is the latest in a series of malicious applications that have popped up in the wake of the global Pokemon Go obsession.

This particular piece of malware is known as POGO Tear and it’s based on open source ransomware code called Hidden Tear. POGO Tear encrypts the files on victims’ computers, changes the extension to “.locked” and then demands a ransom on a screen emblazoned with famed character Pikachu’s picture.

POGO Tear is currently coded to display its ransom message in Arabic only as shown below. The text informs users that their data has been encrypted and instructs them to contact blackhat20152015@gmail.com to decrypt their files. It also thanks them for their generosity.

POGOTear

What’s interesting about this malware is that it incorporates several features not usually found in other ransomware viruses. POGO Tear creates an administrative user account called Hack3r on the victim’s machine and then hides it from the logon screen so the user can’t tell it’s there.

It also creates a network share on the victim’s computer and copies itself to all available network drives. The ransomware automatically executes when Windows starts.

How to recover from POGO Tear
When your computer is attacked with POGO Tear, it’s not enough to simply remove the infected files and restore from backup. Victims must also remove the backdoor administrator account and ensure that it has been cleaned from all removable drives and connected computers before performing restore operations. Otherwise, the administrative account could allow an attacker to install additional ransomware, or even steal data using more traditional attack methods.

It appears that POGO Tear is still in a beta or development stage. It uses a static decryption key which will most likely be replaced with a random key when it’s fully deployed. Currently, files encrypted by POGO Tear can be decrypted with the following AES encryption key: 123vivalalgerie

POGO Tear has a private IP address of 10.25.0.169 coded into it for command and control, indicating that the developer of it is still testing out command and control functionality since a private IP address cannot be directly referenced by other computers over the internet. This will most likely be replaced with a set of internet-accessible dynamic DNS names once the full version is released. POGO Tear does not exist in any other languages besides Arabic and it currently does not specify a value for the ransom.

If you are infected with POGO Tear, you can decrypt your files with the key mentioned above. But be sure to have adequate backups, endpoint protection, and network security controls in place to guard against the future release of the full version.  And if you’re interested in playing Pokemon Go, be sure to download the official version from Niantic when visiting your favorite online app store.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.