PopcornTime offers victims a choice: Pay the ransom or infect your friends

PopcornTime is a newly-discovered form or ransomware that is still in the development stages but operates off a disturbing principle: Victims who have their files encrypted by PopcornTime can agree to pay the ransom, or they can choose to send the ransomware to friends. If two or more of those friends become infected and pay the ransom, the original victim gets their files decrypted for free.

The process is reminiscent of the movie, “The Ring,” where victims who had watched a film had seven days to make a copy of a killer movie, or they would die.

Researchers on the MalwareHunterTeam discovered PopcornTime, which shouldn’t be confused with another application with the same name that is used for streaming and downloading movie torrents.

PopcornTime is also similar to the chain emails or chain letters of days past, where the recipient is told to forward the communication or bad things will happen. The key difference between PopcornTime and chain emails is that with the latter, there’s usually no teeth behind the threats. Most chain emails and letters are proven to be hoaxes. With PopcornTime, the looming threat to your data is real.

PopcornTime is still in development so the final version could differ from what MalwareHunterTeam discovered.

A third choice that makes better sense
It’s worth mentioning that if your files are properly backed up, PopcornTime can’t make you do anything. You can simply delete all infected files, remove the virus from your computer, and download clean versions of your files from backup. Don’t let the criminals coerce you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Ransomware distributor gets hacked: A look behind the curtain

Two email accounts of a ransomware distributor were recently compromised. The analysis of these accounts gives an interesting “behind the curtain” view of a ransomware distributor. It appears that even malicious hackers use a bit of security advice.

The email account, cryptom27@yandex.com, which was used by the attacker behind the recent San Francisco Municipal Transportation Agency (SFMTA) ransomware incident, had an easily-guessable secret question. That allowed a security researcher to take over the account. The unidentified attacker had a backup email account, cryptom2016@yandex.com, that used the same secret question and was also compromised.

The analysis of these emails was reported by IT security blogger Brian Krebs, and it reveals a lot about ransomware distribution. First, the ransomware distributed by this attacker was not targeting specific organizations but was targeting an industry instead. The attacks focused primarily on U.S. construction and manufacturing firms. However, the attacker did not turn away business from those he had inadvertently exploited while launching the attack. The attacker also used an exploit designed take control of Oracle servers and use them to distribute more ransomware.

The attacker used various threats to coerce victims into paying ransom demands. Victims were told they would never get their data back if they did not pay up. The attacker demanded payment within 48 hours, or the data would be deleted, and in some cases told victims that the ransom demand would increase the longer they spent thinking about it.

The attacker used Mamba (HDDCryptor) ransomware, which encrypts entire hard drives. And after the hard drives are encrypted, the attacker’s victims were presented with a message telling them to send an email to one of the aforementioned email addresses to get payment instructions. The attacker apparently used a third email address, but this one did not use the same secret question, and the researcher could not obtain access to it.

The analysis also shows how profitable ransomware can be. The attacker using these email addresses collected $45,000 from a previous attack on a U.S. manufacturing firm. This money was collected through various attacks over the course of a few months. This information was obtained from the two compromised email accounts. These attacks appear to have been committed by a single individual, but it is possible that multiple individuals were involved.

This case demonstrates the ease with which ransomware attacks can be carried out, as well as their massive earning potential.  It’s important for individuals and companies to protect themselves primarily by ensuring that all important data and systems are backed up and that those backups are stored in a location segmented from production systems.

A wide variety of technical controls can help detect ransomware and prevent its spread. User awareness training can help reduce the effectiveness of ransomware distribution through phishing. However, none of these methods are 100% effective. That is why backups are essential to any defense strategy. Take a lesson from this analysis and protect yourself because this threat is far from over.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

The psychology of a ransomware attack: A guide to what makes victims click

Cybercrime is very much a psychological game and ransomware is no exception. Psychology plays a major role in almost all aspects of ransomware from the moment an attack is launched to the moment the victim pays—or refuses to pay—the ransom.

Psychology of ransomware distribution
Most ransomware is distributed through phishing emails, instant messages, and text messages. Distributors use psychological tactics designed to create a sense of urgency and force the victim to click a malicious link or attachment quickly. This preys on a person’s emotions, especially fear. Victims are told they might lose access to an account; that an unauthorized payment has been made; or that medical benefits are about to change. These statements scare victims into clicking and, as a result, they get  hit with a dose of ransomware.

Ransomware distributors also understand victim’s desires. They know that most people would love an easy path to money, recognition, or free merchandise and they create phony offers to capitalize on this tendency.

Psychology of ransomware demands
Ransomware demands rely primarily on the fear of losing data. Ransomware infections are often noticed when access to data is needed. Suddenly, rather than seeing the files, a ransom message is displayed. Fear is also used in ransom messages that display warnings of illegal or embarrassing behavior. Those accused of a crime from fake FBI warnings or messages regarding pornography viewing are loath to seek help from others. Why? Because they fear that their activities would be put under a microscope and that friends, family or coworkers will less of them.

Ransomware also uses tactics that further build anxiety such as assigning deadlines to ransom payments. TruCrypt ransomware, for example, demands a ransom payment within 72 hours. After that, recovery keys would be unavailable.

Some have taken a completely different approach. CryptMix, released earlier this year, promised to donate ransoms to charity if victims paid their large demand of 5 bitcoins to decrypt data. When faced with a difficult decision, people want to know that they are doing the right thing and CryptMix allows victims to believe that they are helping someone in the process. Whether anyone actually believes that the authors will donate the ransom money to charity is beside the point because it is the desire to believe that really matters—and that’s the desire the ransomware authors count on.

Ransomware distributors know how to push our psychological buttons. That is why it is important to prepare yourself psychologically for a ransomware attack and for the phishing messages that are often used to distribute ransomware. Take the time to consider emails, instant messages, and SMS before clicking links or downloading software. Plan how you will respond if you have a ransomware infection. Verify that you have good backups and that you know how to perform a restore operation.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Enterprise Ransomware Protection Insights

This past year, ransomware has extorted vast sums of money from enterprises.  Ransomware is a form of malware that encrypts data and then demands a ransom payment to decrypt it.  The most common ransomware encrypts files likely to contain work product, cherished memories, or user-created content such as documents, spreadsheets, source code, pictures, music, and videos.  Such files are of high importance to users.  Other ransomware encrypts entire hard drives or targets database files for Oracle, MySQL, Microsoft SQL Server and email databases. 

The results have been disastrous for companies without backups.  Those companies had to cope with lost data or pay the ransom and not all companies that paid, received their data back.  Even those with backups were affected, albeit to a lesser extent, by exerting time and effort restoring systems and eradicating the ransomware.  Ransomware by its nature cannot be ignored.  Ransomware hits home; it hits our pocketbook, and its impact is wide-reaching

Fortunately, there are some advanced technologies available to prevent ransomware from infecting your business.  I had the pleasure of interviewing Liviu Arsene (@LiviuArsene), Senior E-Threat Analyst at Bitdefender, on ransomware and he had some great insights.   

Vanderburg: How do you differentiate ransomware from other malware?

Arsene: If other malware’s purpose is to covertly collect and broadcast sensitive data from a victim’s computer, ransomware is all about restricting access to that data and demanding payment to restore access to it. Ransomware is a strictly financial type of malware with a huge conversion rate, causing hundreds of millions – potentially close to one billion – dollars in financial losses. Another difference is that while other malware may try to elevate it’s privileges in order to gain persistency on a victim’s computer, ransomware is all about encrypting specific files or databases with little regard about persistency. Ransomware’s goal is simple, to the point, and strictly financially driven. 

Vanderburg: How is ransomware currently circumventing security controls?

Arsene: While the actual payload that starts the file-encrypting process is relatively simple to detect, ransomware comes packed in various layers that shield the malicious payload. Using highly obfuscated packers that alter the original binary’s data and then restore it (more or less) before execution, their goal is to compress the file-encrypting payload to the point where a traditional security solution won’t be able to recognize the malicious code. 

Ransomware developers also employ polymorphism techniques for altering the malicious code for each infected victim, but keeping the original function (its semantics) the same. This way, the malicious code will always look different, but it will perform the same – file encrypting – functions.

Vanderburg: How does Bitdefender detect and eradicate ransomware before it begins encryption? 

Arsene: Machine learning is a really powerful tool in Bitdefender’s arsenal for fighting ransomware. We’ve been relying on patented machine learning algorithms since 2009 to identifying new and unknown threats. Properly training them to accurately identify even unknown ransomware sample was only natural, as traditional security mechanisms cannot cope with the new techniques employed by cybercriminals. Reverse engineering is also important, as analyzing ransomware samples security researchers are able to either reverse engineer encryption algorithms and provide decryption keys to victims, or create generic heuristics capable of even identifying unknown malware that belongs to the same family.

Vanderburg: Where do enterprises need to focus to combat the ransomware threat?

Arsene: Ransomware has become a nuisance for enterprises because cybercriminals have figured out that organizations have much more to lose if their data is lost, rather than the average users. Consequently, an organization would be willing to pay a great deal more than $300 to regain access to its data. Considering that two healthcare institutions (Hollywood Presbyterian and MedStar Health) have admitted to paying $17,000 and respectively $18,000 to get the decryption key to their ransomware-encrypted files, it’s safe to say that cybercriminals have made a lot of money just by infecting two victims.

To that end, organizations need to focus on making sure that critical data is constantly backed up offsite or in a segregated network, security and email-filtering solutions are deployed across the entire organization, and that employees are trained into spotting phishing emails with malicious attachments. The weakest link in the security chain is usually the individual behind the computer, so it’s vital they’re not tricked into executing malicious attachments or downloading ransomware-infected applications from untrusted websites.

Vanderburg: What is Bitdefender doing to protect against tomorrow’s threats?

Arsene: Bitdefender has been employing anti-ransomware technologies, such as machine learning and ransomware-specific heuristics, for accurately identifying new and even unknown ransomware. We’ve even developed an anti-ransomware vaccine, whose purpose is to immunize computers from known ransomware families and prevent infection from similarly-behaving ransomware.


As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.

Protecting against APTs with Machine learning

Machine learning is a science that uses existing data on a subject to train a computer how to identify related data.  Just like with humans, the more training a machine learning algorithm gets, the more likely it is to succeed at its task.  We have an extensive amount of information on attacks that can be used to train machines.  After all, new attacks come out every day and over a hundred million malware samples have been collected each year since 2014.  This information, as well as the historical information, can be fed into machine learning algorithms to better understand the attacks that haven’t happened yet.  Machine learning systems are comprised of algorithms that determine how the program will interpret, understand, and correlate information to make decisions.  As new data is added to a machine learning system, it can produce results which are tested and then refinements can be made to the algorithm or to assumptions or predictions that were made. 

Advanced Persistent Threats (APT) are an especially big problem for enterprises.  These attacks are intelligently designed by teams of attackers and are highly targeted.  They utilize some of the latest technology and are usually based on extensive information gathered about the target from sources such as social media, the dark web, probes of public sources, dumps from previous hacks, and social engineering.  Once in place, APTs can operate covertly over an extended period of time, causing significant damage to the organization, its customers, services, and ability to do business.  Intelligent solutions are needed to combat these threats.  For example, Bitdefender’s machine learning system analyzes programs as they run to identify anomalous behavior.  It can identify potentially vulnerable software and alert administrators to this before those vulnerabilities are exploited by attackers.  This puts the enterprise on the proactive rather than the reactive side of security. 

Machine learning systems need to be quite powerful so they utilize the power of the cloud to process large amounts of data and millions of distributed clients to collect it from around the globe.  Machine learning systems are comprised of multiple machine learning algorithms that each process the data in different ways looking for patterns of attacks or anomalous behavior.  What once was science fiction is now science fact. 

Such systems are proven technologies, not futuristic fantasies.  Bitdefender’s anti-exploit technology identified 100% of the Adobe Flash exploits of 2016 and an astounding 99.99% of malware.  Microsoft is using machine learning in their SmartScreen filter and Google uses it in their Safe Browsing initiative.  When tested against traditional security systems, machine learning systems resulted in fewer false positives as well as fewer false negatives, meaning that more attacks were thwarted and less time was wasted chasing false alerts. 

For companies, this is a big savings to the bottom line and a cost-effective way to implement security.  Cybersecurity systems are more effective and keep their sensitive data away from prying eyes and key systems available for use while IT and security personnel are not distracted by as many false alarms so they can be focused on what matters, keeping the company safe. 

Does your cybersecurity strategy include machine learning technologies? 

As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.

Backup and recovery means you can say no to ransom demands

Ransomware continues to be a huge problem for companies and consumers—and a major source of income for cybercriminals. Malicious hackers using CryptoWall ransomware extorted $18 million last year, according to the FBI, and that’s just one of many ransomware variants. Microsoft has detected a 400% increase in ransomware attacks since 2015. This sad fact is that the ransomware industry continues to grow because people continue to pay ransoms.

Logic would dictate that we simply stop paying ransoms and ransomware will end. But this is much easier said than done. Businesses, healthcare organizations, politicians and security experts debate this topic regularly, and there’s no clear consensus on what to do. Nobody wants to pay the ransom, but some are not in a position to refuse.

Healthcare organizations must consider the potential danger to patients if they do not pay a ransom. Meanwhile, banks are stockpiling bitcoins as an insurance policy against attacks. Some companies choose to pay because it’s cheaper than fixing the problem. Of course, this just makes it more likely that cybercriminals will target the company with ransomware again.

So, how do we get to a place where companies and individuals can afford to say no to ransom demands? This solution is surprisingly simple: Have a good backup of your data so that you can restore the data instead of paying a criminal to unlock it for you. Here’s a quick guide to protecting your data with a backup and recovery solution:

1. Data inventory
The first step is to understand what data you have so that you can adequately protect it. You may have data on workstations, laptops, file servers, cloud services, or within applications and databases.Try to get a good feel for what you have and what is most important—then prioritize that data for backup.

2. Data design
The second step is to identify the ideal location for the data. Workstation and laptop data may be migrated to servers; redundant data can be consolidated, and pointers or mappings created so that it is still accessible in multiple ways.

3. Backup design
Choose a backup solution that backs up data  automatically and often enough to ensure that minimal data is lost when recovery is required. Remember that backups should be segmented from production systems. There should be both a logical and a physical segmentation.

Logical segmentation places the backups in a location that cannot be reached by systems on the production network. For decades, tapes were used for offsite backups. Today, tape backups are often replaced with cloud backups.  If an incorrectly written script deletes data from the network, the tapes would be safe from harm. Similarly, if a virus like ransomware infects production systems, you will still have clean versions of your data backed up to the cloud.

Physical segmentation protects against a natural disaster such as a fire that could take out a facility. If backups are stored on a server, hard drive, or tapes located within the facility, a fire or some other disaster could destroy both production data and backups, leaving the organization with no way to recover data. Physical segmentation places backups outside the facility. Backups could be replicated to the cloud or another site, tapes could be shipped to a remote storage facility, or an employee could take backup drives to a safe deposit box.

4. Testing
A backup system cannot truly be relied upon until it is tested with a restore. Restore testing ensures that organizational data can be effectively recovered within acceptable time frames. It is often through the restore testing process that inefficiencies or complications are identified that can be resolved before the backups are required in an emergency. Restore testing also familiarizes IT staff with the recovery process. That means they’ll be ready when disaster strikes.

5. Say no
Say no when ransomware strikes. You don’t need to pay because you can restore the data. Delete the infected files, remove the virus, and restore your data from backup. With the right backup solution in place, there’s no need to deal with cybercriminals.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

New version of Cerber ransomware hits businesses where it hurts

The latest version of Cerber ransomware is targeting database applications and putting business’s most valuable data at risk, according to recent reports.

Large database applications such as Oracle, Microsoft SQL Server, MySQL and others contain critical data for things like Enterprise Resource Planning (ERP), Customer Relationship Management (CRM) and Electronic Medical Record system. And the latest version is aiming to encrypt all of them in addition to documents, spreadsheets and multimedia files.

How Cerber ransomware works
Ransomware victims are not chosen on an individual basis. Instead, they’re usually found within a pool of available targets organized by country, region or industry. This semi-targeted approach is often used to ensure that as many targets as possible have the means to pay the ransom, either because they live in regions with a high median income, or they work in industries that are known to pay up. Cybercriminals like those spreading the new version of Cerber may also target databases—where many businesses’ store their most important information.

Once Cerber infects a system, it checks to see if it is in a target country. It targets all countries except for Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan. Cerber then places a copy of itself in the %AppData%\{2ED2A2FE-872C-D4A0-17AC-E301404F1CBA}\ directory using a randomly generated executable name. Cerber then prepares to encrypt files by escalating its privileges through a UAC bypass using DLL hijacking. Cerber needs escalated privileges in order to stop certain services that, if running, would disrupt the process of database encryption.

Database files are usually written to and changed frequently, and database software typically keeps the files open so that data in memory can be flushed down to the files and applications rapidly. Data corruption can occur if the files are tampered with while they are open and criminals would lose the confidence of their victims if they were unable to decrypt files after the ransom was paid so they stop the services first.

Here are the databases that Cerber encrypts as well as the processes that it terminates. If you are running these processes and they stop unexpectedly, this could be a sign of Cerber infection. Each of the processes below is a Microsoft Windows executable. Cerber ransomware currently affects databases running on Windows only.

Database Process
Citrix MetaFrame encsvc.exe
Microsoft SQL Server msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe
Mozilla Firefox firefoxconfig.exe
Mozilla Thunderbird tbirdconfig.exe
MySQL mysqld.exe, mysqld-nt.exe, mysqld-opt.exe
Oracle agntsvc.exe, agntsvc.exeisqlplussvc.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, dbsnmp.exe, isqlplussvc.exe, mydesktopservice.exe, mydesktopqos.exe, oracle.exe, ocssd.exe, ocautoupds.exe, ocomm.exe, synctime.exe, xfssvccon.exe
Red Gate Software’s SQL Backup Pro sqbcoreservice.exe

Decryption keys were made available for earlier versions of Cerber, but they were removed when newer versions of Cerber came out. A high-quality database backup is crucial for recovering from an encrypted database. Since enterprise database systems change frequently as new transactions occur, backup systems are often continuous, or scheduled at very short intervals, so that little or no data is lost when failures occur. It’s also important to test the restore process regularly to ensure that all relevant data is captured and that the data can be recovered in a reasonable time frame.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.