Karmen ransomware makes it easy to launch attacks

A new malware do-it-yourself kit called Karmen is making it easy for wannabe cybercriminals to launch ransomware attacks.

Security researchers believe the recently discovered ransomware as a service (RaaS) offering was developed in part by a Russian-speaking ransomware author who goes by the alias DevBitox. For a price, Karmen can turn almost anyone into a cybercriminal in just a few clicks.

 

RaaS offerings like Karmen began popping up on the dark web in 2015 and ransomware developers have continued to make the kits more user-friendly over time.

Karmen is based on a well-known open source ransomware project called Hidden Tear. Using a web-based interface, aspiring cyber-extortionists can customize Karmen before distributing it to potential victims. The ransomware also comes with a dashboard that allows cybercriminals to track the number of machines infected and the total revenue accrued. The dashboard also notifies users when a new version of Karmen is available so they can continue distributing the latest ransomware.

Karmen automates many processes—including payment processing—so users can concentrate on distributing the ransomware. The creators of Karmen are currently charging $175 to would-be criminals who want to get into the ransomware game.

Some might assume that an inexpensive ransomware kit would be quickly picked up by antivirus software, but Karmen is a well-designed piece of malware. It’s packaged with a small loader and doesn’t take up much space. Karmen can detect if it is operating in a sandbox environment and can automatically delete portions of its code to prevent security researchers from analyzing it.  Karmen scrambles files with AES 256-bit encryption and operates with minimal connections to its command and control server.

The ease of use and low price point of Karmen lowers the barrier to entry to the ransomware market. This just the latest indication that ransomware attacks will continue to increase, requiring companies and consumers to be more vigilant than ever before.

To protect your data, it’s important to educate yourself and employees on healthy computing habits, such as how to detect phishing messages, how to properly handle data and what to do if anomalies in the computing environment are detected. Education combined with a host of technical controls such web traffic filtering, virus detection and firewall protection go a long way toward reducing the incidence of attacks.

But you need to be ready if a ransomware attack succeeds. That’s why business and individuals need an effective backup and recovery solution. Ransomware attacks your valuable data and demands payment, but you can reject such demands if your own backups are current, intact and easily accessible.

Once the backup system is installed, don’t wait for ransomware such as Karmen to put it to the test. Be sure to conduct data restore tests regularly. This will familiarize team members with the recovery process and ensure that your data will be restored as quickly as possible when disaster strikes.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Mac Users Face Increased Ransomware Threats

Apple Inc. has a reputation for building secure devices, but don’t become too complacent because ransomware threats to Mac users are on the rise.

While ransomware attacks against Microsoft Windows-based computers and servers remain far more prevalent, security researchers have detected new Mac threats in recent years and expect to see new threats in the future. Here’s a quick look at three forms of ransomware that are known to target Mac users:

KeRanger disguises itself as a popular application
Imagine this: You go to download a copy of Transmission, the popular torrent download application, only to find that it infects your computer with ransomware. That’s what happened to more than 7,000 Mac users in 2016 after cybercriminals hacked into the Transmission website and implanted KeRanger—ransomware that targets Mac OS X—into the downloads. The downloads were stamped with the official Transmission developer certificate so Gatekeeper, the Mac function that validates applications, was easily fooled.

The ransomware was hidden inside a file called general.rtf and was designed to wait three days before encrypting user data. After encrypting files, the malicious software displayed a ransom note demanding one bitcoin. The ransomware installer has since been removed from Transmission’s website.

Think you’re fixing apps with Patcher? Think again
Patcher disguises itself as a patching tool for well-known apps like Adobe Premiere Pro and Microsoft Office. The ransomware, which has been downloaded via BitTorrent, is so poorly designed that even the malware’s creators are unable to supply decryption keys to victims who pay the ransom.

Patcher stores important files, documents, pictures and other media in an encrypted .zip file and deletes the original data. It then attempts to wipe the free space on the drive so that disk recovery tools will be ineffective. Patcher concludes by scattering copies of “README!.txt” in the victim’s document and picture folders. The README! file contains ransom payment instructions.

FindZip makes you hunt for decryption keys
Much like Patcher, FindZip ransomware attacks Mac users by copying important files into an encrypted .zip file and deleting the original data. FindZip, which is also known as Filecoder, has no decryption capabilities so victims who pay the ransom will not be able to recover their data. The good news is that you can discover the decryption keys by comparing an unencrypted file to an encrypted one. Avast has created a tool that automates the process of discovering the tools and decrypting files.

Protect your Mac from ransomware
Mac users are clearly not free from the threat of ransomware. While not at epidemic proportions, ransomware attacks against Macs have seen widespread success by breaking into systems that were assumed secure. Fortunately, users today have access to a variety of backup options. You can add an extra layer of protection to your Mac computer by stepping beyond the Apple ecosystem of TimeMachine nearline backups and iCloud synchronization and embracing a third-party cloud backup solution.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Ransomware extortionists not as trustworthy as they’d have you believe

There are a variety of different ransomware variants that encrypt your data with no intention of ever decrypting it. There are also ransomware distributors who are happy to collect ransom payments but have no interest in returning anyone’s data.

Innocent victims often fall prey to ransomware hoaxes or find problems with ransomware decryptors. They all end up in the same place they started, without their valuable data.

Some of the groups behind the most prevalent ransomware viruses are working to build up confidence that victims will receive their data if they simply pay the ransom, but victims have learned the hard way that paying the ransom comes with no guarantee.

Purely destructive ransomware
There have been a number of ransomware viruses that infect systems only to delete victims’ files and then demand a ransom payment. One version—dubbed Ranscam because it is a ransomware scam—does exactly this. Similarly, AnonPop also pretends to be ransomware, deleting victim files rather than encrypting them.

The good news is that both Ranscam and AnonPop do not wipe the data from the disk. Wiping writes over data multiple times so that it cannot be recovered. That means if your files are deleted by Ranscam and Anonpop, you may be able to get them back using a file recovery program. Victims of Anonpop can also use their “system restore” feature to restore files and settings.

Ransomware hoaxes
Citrix did a study of 200 UK companies who had received fake ransom demands and found that 63% of them still paid the ransom. Why? Because they were unsure whether the demand was real or fake. Victims sometimes received demands for ransom in email, through browser popups, or in messages on their mobile devices.

Sometimes victims are unable to obtain decryption keys because ransomware authors stop supporting a particular version of a ransomware virus. But this doesn’t stop them from spreading those versions around and demanding ransom, even though there is no way to recover the data.

In some cases, new versions of ransomware are released because anti-malware researchers have released decryptors for a previous version. However, in other cases, ransomware authors upgrade their software proactively before a flaw has been discovered. For example, the creators of JIGSAW made updates to their code that changed encryption packages, but versions in the wild still contained the old code and could not be decrypted.

Occasionally, there are bugs in ransomware code that prevent extortionists from generating decryption keys. CryptXXX came out with a new version, but bugs in the payment system prevented it from sending decryption keys to victims who paid. Those who were infected were able to pay the ransom, but the decryption capability no longer existed or was unavailable.

Cybercrime power struggles
Some victims of ransomware have started communicating with an extortionist or even paid a ransom demand and then found that the extortionist was apprehended by law enforcement. Law enforcement forensically preserves data and evidence for court and shuts down services, but victims are left without decryption keys, so their machines wipe data or remain encrypted. At some point it is possible that they will receive their money back, but not their data.

Other extortionists have been taken down by a rival cybercrime groups or hackers in the midst of their negotiations with victims, and in some cases, victims have already paid the ransom or some portion of it. Unfortunately for these victims, their transactions were lost in the limbo of cybercrime power struggles, and they may not end up getting their data back.

The big cybercrime groups behind some of the major ransomware variants out there try to establish some level of integrity with their victims so that they will pay the ransom. But there are plenty of others who show that trusting a criminal is a gamble at best.

Don’t gamble with your data. Paying ransoms is not an effective way to recover data. Ensure that you have a robust backup and recovery strategy in place and you’ll never have to pay the ransom.

 For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Ransomware Recovery: How to meet realistic Recovery Time Objectives (RTOs)

When it comes to ransomware attacks, those who lose valuable data and have no viable backup tend to pay the ransom, while those with backups simply restore their data. However, neither group walks away unscathed because they both suffer downtime.

Downtime is the period when systems are unavailable for use, and it can cost small and midsize businesses thousands of dollars or worse—it could put them out of business. An Imperva survey of RSA 2017 attendees found that downtime costs companies more than $5,000 in 56% of cases and more than $20,000 in 27% of cases. Depending on the size of your company, this could be the cost of doing business, or it could be a catastrophe.

Establishing  Recovery Time Objectives (RTOs)
Companies should take the time to identify the maximum amount of downtime that is acceptable under various disaster scenarios. It’s a good idea to get started on this right away because this information will help determine what type of backup systems you need to have in place.

For example, business leaders may decide, after analyzing the data, that email should be restored within 10 minutes, domain services within 30 minutes, customer facing websites within 30 minutes and the Enterprise Resource Planning (ERP) system within 45 minutes. These values constitute applications’ Recovery Time Objectives (RTOs). Business leaders may also decide that email can be down for a maximum of one hour, domain services for two hours, customer facing websites for four hours and the ERP system eight hours before losses due to the downtime are intolerable. Each of these values constitutes a Maximum Tolerable Period of Disruption (MTPOD).

In most circumstances, systems would need to be restored in accordance with the RTOs and, in extraordinary circumstances, systems would be restored within the MTPOD.

Based on the RTO and MTPOD, IT and other groups put redundancy, business continuity, and backup and recovery strategies in place to meet these objectives. This may involve a hybrid recovery strategy with cloud and on-site backups. Companies might also decide to use cloud replication with virtualization to resume services at another site if the primary site fails. Backup and recovery systems are crucial in bringing systems online after disasters like ransomware strike.

Actual vs. estimates
I have found that initial estimates for recovery objectives are often in need of revision following the first incident. Trend Micro estimates that the average ransomware recovery takes 33 hours. This is far higher than most organizational estimates prior to a ransomware infection. That’s likely because organizations don’t always factor in the initial steps of incident response when determining their RTOs. In the example above, recovery controls alone might be able to meet the domain services MTPOD of two hours, but it takes first responders 30 minutes to validate the incident and identify the extent of the incident scope, which results in the organization exceeding the MTPOD by 30 minutes.

In other cases, organizations have been surprised by the scope of ransomware infections. Trend Micro found that 47% of ransomware spreads to 20 or more people. Furthermore, ransomware is efficient at targeting sources of information in organizations. Without this critical information, large groups of employees are unable to do their jobs.

It’s also important to remember that recovery plans need to be kept up to date. Organizations relying on outdated plans may have unclear expectations as to when steps in the plan will be complete and as a result, they will be unable to meet recovery objectives.

Action items
Establish RTO and MTPOD for systems based on their availability need. Next, put controls in place to meet these recovery metrics. If you have not experienced ransomware before, consult with those who have to determine if controls are adequate. Backup and recovery controls are the most crucial elements and must be designed appropriately. That means ensuring that recovery is available to the required locations at appropriate speeds to meet objectives.

Recovery metrics should be reevaluated annually to ensure that changes in business availability needs are reflected in the established metrics. Controls should go through a similar process of evaluation against recovery metrics to ensure that controls can adequately meet recovery metrics for potential threats.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Spora ransomware could become a major player

Spora is a relatively new ransomware, but there are signs which indicate that it could become a major player in the underground ransomware market, according to various reports.

There are currently hundreds of ransomware variants being used by cybercriminals, but only a handful are backed by major criminal syndicates that have the funding to write robust malicious code and the infrastructure to support global extortion efforts. These groups are behind some of the biggest names in ransomware like Locky, CryptoLocker and TeslaCrypt. Spora is not there yet, but it’s certainly on its way.

A strong build
The first thing that sets Spora apart from a large number of homegrown ransomware variants is its encryption capabilities. Spora utilizes offline encryption to avoid detection and is capable of performing the encryption using a unique key set without communicating with a command and control server. This is not a brand new technique. It’s been used successfully in the past by both Cerber and Locky. Spora differs in that it encrypts each file with a distinct key, then file keys are encrypted with an AES key unique to the victim.

Second, Spora has a very well designed website with a professional look and feel. It has an easy to use interface consisting of a clean dashboard with colorful icons, tool tips and a live support chat that delivers quick responses to inquiries, according to security researchers.

One very interesting feature of Spora is that it offers victims a menu of options for retrieving some or all of their files as well as protection services. They allow users to decrypt two files free as an act of good faith and to demonstrate their ability to decrypt the data. Other options include decrypting several files for $30, removing the ransomware for $20, protecting against further infections of Spora for $50, and a full restore for $120. However, it should be noted that these prices may change. Spora uses identifying information provided by victims when they connect to the payment website to dynamically generate prices. The cybercriminal behind Spore likely charge more for businesses or for those in different regions. Even with its dynamic prices, Spora is priced much lower than other ransomware, a strategy that was likely designed to build up their reputation.

Spora’s weaknesses
Despite these strengths, Spora has some significant weaknesses. The ransomware does not yet have a way to bypass the UAC, a feature in Microsoft Windows that prevents programs from running with escalated privileges. A UAC warning message appears when Spora executes and victims must allow the program to run. Spora also launches a command prompt to delete volume shadow copies and the command prompt is displayed on the screen for the victim to see.

At the moment, Spora is limited to Russian-speaking countries. The attackers behind this ransomware appear to be organized and professional so it is likely that the next version of Spora will address its current deficiencies and target a much larger audience. Prepare yourself by backing up your data and by validating that your backups can be restored.

Continue reading

The top 10 ransomware attack vectors

Ransomware is infecting the computers of unsuspecting victims at an astronomical rate. The various methods that cybercriminals use to take over a machine and encrypt its digital files are called the attack vectors, and there are quite a few.

In this article, we’ll explore the top 10 ransomware attack vectors. The first five exploit human weaknesses through social engineering attacks. In other words, they use carefully crafted messages to entice victims into clicking a link, downloading software, opening a file or entering credentials. The second five spread ransomware computer to computer. Humans may be somewhat involved in the process by navigating to a site or using a machine, but they are primarily automated processes. Let’s take a closer look at each attack vector:

1. Phishing
Phishing is a social engineering technique where phony emails are sent to individuals or a large group of recipients. The fake messages—which may appear to come from a company or person the victim knows—are designed to trick people into clicking a malicious link or opening a dangerous attachment, such as the resume ransomware that appeared to be a job candidate’s CV.

2. SMSishing
SMSishing is a technique where text messages are sent to recipients to get them to navigate to a site or enter personal information. Some examples include secondary authentication messages or messages purporting to be from your bank or phone service provider. Ransomware that targets Android and IOS-based mobile devices often use this method to infect users. For example, after infecting your device, Koler ransomware sends a SMSishing message to those in your contacts list in an effort to infect them as well.

3. Vishing
Vishing is a technique where ransomware distributors leave automated voicemails that instruct users to call a number. The phone numbers they call from are often spoofed so that messages appear to come from a legitimate source. When victims call in, they are told that a person is there to help them through a problem they didn’t know they had. Victims follow instructions to install the ransomware on their own machine. Cybercriminals can be very professional and often use a call center or have sound effects in the background to make it seem like they are legitimate. Some forms of vishing are very targeted to an individual or company and in such cases, criminals usually know quite a bit of information about the victim.

4. Social media
Social media posts can be used to entice victims to click a link. Social media can also host images or active content that has ransomware downloaders embedded into it. When friends and followers view the content, vulnerabilities in their browser are exploited and the ransomware downloader is placed on their machine. Some exploits require users to open a downloaded image from the social media site.

5. Instant message
Instant message clients are frequently hacked by cybercriminals and used to send links to people in a user’s contact list. This was one technique used by the distributors of Locky ransomware.

6. Drive-by
The ‘drive-by’ technique places malicious code into images or active content. This content, when processed by a web browser, downloads ransomware onto the victim’s machine.

7. System vulnerabilities
Certain types of ransomware scan blocks of IP addresses for specific system vulnerabilities and then exploit those vulnerabilities to break in and install ransomware onto the machine.

8. Malvertising
Malvertising is a form of drive-by attack that uses ads to deliver the malware. Ads are often purchased on search engines or social media sites to reach a large audience. Adult-only sites are also frequently used to host malvertising scams.

9. Network propagation
Ransomware can spread from computer to computer over a network when ransomware scans for file shares or computers on which it has access privileges. The ransomware then copies itself from computer to computer in order to infect more machines. Ransomware may infect a user’s machine and then propagate to the company file server and infect it as well. From here, it can infect any machines connected to the file server.

10. Propagation through shared services
Online services can also be used to propagate ransomware. Infections on a home machine can be transferred to an office or to other connected machines if the ransomware places itself inside a shared folder.

Be cautious and skeptical of the messages you receive, whether they come from email, instant message, text, voicemail or social media. Ransomware distributors are crafty and one click could be all it takes. Technical controls are also necessary to screen out unwanted content, block ads, and prevent ransomware from spreading. The most important thing is to have adequate backups of your data so that, if you ever are attacked, you can remove the virus and download clean versions of your files from the backup system.

Continue reading

How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those perpetrators went unprosecuted because of the innovative methods they use to protect their identities and hide their funds. They go to great lengths to keep authorities from seizing or freezing their money. By and large, their efforts have paid off. Here’s how they do it:

Hidden identities, disposable email
Extortionists protect their identities whenever interacting with victims. This generally occurs when they distribute ransomware, and when they collect ransom payments from victims in exchange for decryption keys.

Extortionists use disposable email accounts and when sending out phishing emails that target victims. These accounts have fake names associated with them and no useful contact information. In some cases, the accounts are owned by another individual—a person whose account was compromised, taken over and used to send malicious emails.

Layered like an onion
Extortionists often protect themselves during the collection phase by using so-called “onion routing” tools like Tor, which use multiple layers of encryption to ensure anonymous networking and communications. Tor is a network of computers that exchange encrypted data among themselves to obscure the source of the data. This prevents researchers and law enforcement from identifying where the decryption keys are stored.

Cryptocurrency enables anonymity
The cybercriminals responsible for disseminating ransomware typically demand payment in some form of cryptocurrency. Bitcoin is the most popular cryptocurrency with Litecoin and Dogecoin coming in second and third place, respectively. Bitcoin currency is stored in a digital wallet and bought and sold over bitcoin exchanges, through peer-to-peer marketplaces, and via person-to-person trades using an intermediary. Bitcoin transactions are logged publically but transactions only reference the wallet IDs of each partner in the transaction, not the names of the individuals themselves. Wallet IDs have no identifying information associated with them other than their number.

Cybercriminals typically keep a wallet ID for a short period of time and may only use it for a few transactions before switching to a new wallet ID. This ensures that specific wallet IDs are not identified as major bitcoin traders. They also use bitcoin laundering services or anonymizers like bitmixer.

Gift cards and money mules
Some forms of ransomware accept vouchers for payment. These include gift cards and CashU, MoneyPak, MoneXy, Paysafecard and UKash vouchers. These may be used to purchase goods that “money mules” then sell over the internet for cash. Money mules are also used to liquidate cards by selling them to individuals at less than face value. Cybercriminals prefer cryptocurrency because it allows them to keep a greater percentage of the profits.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.