Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Nemucod Ransomware Analysis

Today, we’ll look at yet another variant in the massive crop of malware that takes users’ files hostage: Nemucod ransomware.

Nemucod is a ransomware which changes file names to *.crypted. While it’s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but one constant has remained the same – it is deployed via bogus shipping invoice spam email. The Javascript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it’s easily to modify and re-deploy. This has, for a majority, bypassed antivirus protection and spam email protection. However, a flaw was found in the encryption routine,which allows victims to recover their files.

  • January 2016: Nemucod changes file names to “.crypted” but does not actually encrypt them
  • March 2016: Adds XOR encryption using a 255 byte key contained in a downloaded executable. This downloaded executable encrypts the first 2048 bytes of a file
  • April 2016: 7-Zip used instead which created an archive to password protect files
  • April 2016: Instead of a hardcoded key, the Javascript generates a key and passes it as an argument to the downloaded executable and performs the encryption of the first 1024 bytes of each targeted file
  • May 2016: A small change is added to the previous build, which encrypts 2048 bytes instead of 1024 bytes
  • June – August 2016: A PHP script is used along with a PHP interpreter to encrypt the first 1024 bytes of a file

Email Example:

 

 

 

 

 

 

 

 

After opening the spam email attachment, you can see that the file located inside is a Javascript file cleverly disguised as a “.doc”. The file appears to be a .doc for users with the folder option setting “hide extensions for known file types” enabled.

Javascript Analysis:

Upon first opening the sample, it is heavily obfuscated; this is by design to thwart AV analysis and static detection

Nemucod Java

After de-obfuscating the script, I found that several compromised domains are used to store multiple files to be used later on in the execution routine. Of the downloaded files, we can see that two (a1.exe and a2.exe) are designed as a backdoor on the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the 3rd and 4th files downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter which allows the ransomware (a.php – 5th file downloaded) the ability to run.

Nemucod Java 2

Nemucod Java 3

Analysis of a.php:

We at first saw several samples of a.php written in plain text without obfuscation, but the developers changed this quickly to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.

Examples of Obfuscated ransomware variants:

chr()

Nemucod chr

To de-obfuscate, I converted all of the chr values to ascii characters and finally decoded base 64 stored to get the original script.

Array()

Nemucod Array

To de-obfuscate, I echoed the output of implode for all of the arrays (and removed eval) using the following at the end of the script:

;echo implode($f,”); ?>

De-obfuscated:

Nemucod php

The PHP script first uses “set_time_limit(0);” to keep the interpreter running.

A recursive Tree function is used with preg_match to match folders:

winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache

If a match is found, the script opens the directory and checks for more directories using is_dir; if a directory is found, it runs TREE again, which continues the loop to check if the object is a folder or a file.

Once a file is found, it uses preg_match again to match its file extension:

zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso

Once a file matching the file extensions above is found, it stores that file name and path as the variable “$fp” and a new variable is made “$x” which uses the function fread.

fread() reads up to length bytes from the file pointer referenced by handle.

After reading the first 1024 bytes of a file, a for loop is used with strlen and the variable $k (a base 64 string) to encrypt the files.

 

If you have found yourself a victim of this ransomware, please submit a support ticket.

Ransomware for Thermostats

 

We all know that Internet of Things (IoT) is the future and that everything from your refrigerator to your toaster may eventually connect to the internet. With that being the case, it’s important to remember that these connected devices need to be designed with security in mind. On Saturday at the Def Con hacking conference in Las Vegas, Andrew Tierney and Ken Munro showcased a ‘smart’ thermostat hack, in which they were able to install encrypting ransomware onto the device, fortunately just as a proof of concept. Check it out:

thermostat

The hacked thermostat (displayed in the screenshot above) runs a Linux operating system and has an SD card slot for owners to load custom settings and wallpapers. The researchers found that the thermostat didn’t check what files were being loaded or executed. Theoretically, this would allow hackers to hide malware into an application that looks just like a picture and fool users into transferring it onto their thermostat, which would then allow it to run automatically. At that point, hackers would have full control of the device and could lock the owner out. “It actually works, it locks the thermostat,” Munro said. This achieves the predictions of others in the security industry.

DLeBMBk

Despite the above tweet, Tierney and Munro declined to confirm the brand of this particular thermostat that they hacked. Because this test was so new, despite the vulnerability being showcased, the reserachers haven’t yet disclosed the vulnerability to the manufacturer, but the plan is to disclose the bug today. They also said that the fix should be easy to deploy. While this ransomware isn’t an immediate threat to anyone using smart devices in their homes today, the point has been proven that it’s very possible to create ransomware for these new and emerging IoT devices. “You’re not just buying [Internet of Things] gear,” Tierney warned, “You’re inviting people on your network and you have no idea what these things do.”

 

 

Chimera Keys Leaked From Rival Ransomware Author

 

Encrypting ransomware is so popular now that competitors will sabotage one another to get the upper hand. This is refreshing for victims, however, as they reap the benefit of these potential clashes between cybercriminals. ‘Chimera Ransomware’ has just had its keys leaked to the public, which is fantastic news for anyone who has been a victim of this ransomware.

Chimera Ransomware

@JanusSecretary  (presumed author of Mischa and Petya) was quick to tweet the news:

mYe072j

 

The keys are linked here which is a zip of the text file with over 3,500 keys. Below is a summary of the leak, where it is explained that Mischa used Chimera sourcecode. While the authors of Mischa and Chimera are not affiliated, they did get access to big parts of Chimera’s development system.

pastebin

This allowed access to the decryption keys that have now been released. With these keys now released, it shouldn’t be too much longer before a decryption tool is created for all the victims of Chimera.

Also included is a shameless plug for his RaaS (Ransomware As A Service) portal, where anyone can create new ransomware payloads.

RaaS

For any successful ransoms that result in payment, a cut will be taken by Janus based on how successful the ransoms are. For a complete rundown on RaaS variants check our our blogs on Ransom32 and Encryptor RaaS samples.

 

CryptXXX now looking to Neutrino for exploit support

When it comes to drive-by attacks, CryptXXX is king. In fact, out of all the exploit kits dropping payloads on victims, 80% result in CryptXXX. The creators attacked vulnerabilities in Flash Player, Java and Silver Light through using the Angler exploit kit, with malvertising helping boost their success. The malware authors were able to generate $3 Million per month almost exclusively from ransomware.

But how exactly does malingering work? In a nutshell, cyber criminals submit booby trapped advertisements to ad networks for a real-time bidding process. Malicious ads then rotate in with normal ads on legitimate, highly reputable sites. Users then visit these site and click on an infected ad. An invisible iframe injection then redirects the user to the exploit landing page, where a payload is then dropped. Here’s an example:

Picture1

Since Angler was shut down earlier last month, CryptXXX was presumed to also die with it. However, it’s taken new life with the Neutrino exploit kit, and can now exploit out of plugins like WordPress. Here’s how this looks:

Picture2

Once a user is unlucky enough to click an infected ad, a ransomware payload is dropped and they become the victim. Here are the instructions that are presented to victims. Pictured below, they are presented the form of a desktop background:

desktop

Once a user’s files are encrypted, the steps are the same as most ransomware – install a layered tor browser, then pay the ransom using bitcoins. This variant specifically only asks for 1.2 bitcoins ($800), which is the most ‘mild’ demand of recent ransomware variants, but the amount will double after 5 days if the ransom isn’t paid. It is worth noting that other sites have offered free decryptors for this malware, but they seldom last longer than a few days before the malware authors change it up yet again.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new and updated ransomware threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 analyzed

75EF6891AE7214AD17679CB88DC3B795

7BB58C27B807D0DE43DE40178CA30154

05825F3C10CE814CE5ED4AE8A74E91A2

 

Cerber Ransomware: The Facts

Cerber is yet another newer ransomware that has been gaining some traction over the past couple months, so we’re providing a breakdown of this new variant. First, here is how it looks:

desktop1

Unlike some other ransomware variants, Cerber is certainly not going for aesthetics. It also lacks any type of GUI. However, it does change your background to an awful pixelated image of static that’s not comfortable to look at, but it achieves its goal of getting the victims’ attention.

ransom text

The ransom text is quite extensive and attempts to answer as many questions as the victims might have. The end goal is to get the user to follow directions to install a layered tor browser so they can access the dark net and pay the ransom with Bitcoins. This is what the ransom portal looks like:

payment

This Cerber variant specifically wants 2 BTC, which is a huge sum of money (around $1,300) compared to variants seen in the past. As with older types, there is a ‘late fee’ that doubles the ransom if it isn’t paid in the original time frame. It appears that this trend of charging more money is new and is continuing to catch on. Also included with Cerber are “freebies”, which means that you get one free decrypt of a file. This was introduced by coinvault in 2014 to great success, so now almost all ransomware types include it.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for new threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

MD5 Analyzed:

c3cd90c3e406981bece559a43fe64414

383803a90293408e36063809319f5982

065033243f30b1e54241a932c5e706fd

 

CryptoMix Ransomware: What You Should Know

CrytpoMix has been gaining some traction over the past few months, so it’s a good idea that we provide a rundown of this variant in the ransomware family.

This is ‘barebones ransomware’, so victims aren’t presented with a GUI or a desktop background change. All that is presented is a text file and webpage showing the same text.

notepad

This is one of the FEW ransomware variant that doesn’t have some payment portal in the darknet. There is no need to download any tor browser, as they don’t provide any onion links.

email back

With this variant, victims literally have to email and wait around 12 hours for a response and those responses are encrypted and password protected (to protect the bitcoin wallet address the cybercriminals want payment to be made to).

Example response:

email back

While CryptoMix isn’t fancy, it’s price sure is. 5 BTC (Bitcoin) is an insane amount of money (>$3000), and it wasn’t a few months ago that ransom increases to $700 were all the rage. Also, these criminals even claim that you’ll receive free tech support and all your ransom money goes to a child charity. Please do not be fooled.

Registry Entries added

» HKLM\Software\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
» HKLM\Software\Microsoft\Cryptography\DESHashSessionKeyBackward
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader UpdateSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Adobe Reader Update32
» HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdobeFlashPlayerSoftWare
» HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\*AdobeFlashPlayers32
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeFirstVersionSoftWare
» HKCU\Software\Adobe Reader LicensionSoftWare\AdobeLicensionSoftWare

MD5 hashes analyzed :

b778bda5b97228c6e362c9c4ae004a19

a0fed8de59e6f6ce77da7788faef5489

Webroot will catch this specific ransomware in real time before any encryption takes place. We’re always on the lookout for more types of threats, but just in case of new zero-day variants, remember that with encrypting ransomware, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files back as we save a snapshot history for each of your files (up to ten previous copies). Please see our community post on best practices for securing your environment against encrypting ransomware.

 

 

 

Computer Virus 101

What is a computer virus?

Think of a biological virus – the kind that makes you sick. It’s persistently nasty, keeps you from functioning normally and often requires something powerful to get rid of it. A computer virus is very similar. Designed to relentlessly replicate, these threats infect your programs and files, alter the way your computer operates or stop it from working altogether. It’s estimated that the ‘Conficker’ malware infected more than 10 million computers in 2009, which was a massive amount back then.

The amount of viruses and their capability to inflict damage have only increased since then. Today, hundreds of thousands of them operate over the internet, and new variants are discovered every day. When you couple this with the discoveries of mass-scale security flaws/vulnerabilities (such as ‘Heartbleed’ and ‘Bash’ in 2014), the cyber-world really starts to look like a scary place. It is. But that doesn’t mean there’s nothing you can do to protect yourself and your devices.

How does it find me?

Even if you’re careful, you can pick one up through normal online activities like:

  • Sharing music, files or photos with other users
  • Visiting an infected website
  • Opening spam email or an email attachment
  • Downloading free games, toolbars, media players and other system utilities
  • Installing mainstream software applications without fully reading license agreements

What does it do?

Some computer viruses are programmed to harm your computer by damaging programs, deleting files, or reformatting the hard drive. Others simply replicate themselves or flood a network with traffic, making it impossible to perform any internet activity. Even less harmful versions can significantly disrupt your system’s performance, sapping computer memory and causing frequent computer crashes.

What are the symptoms?

Your computer may be infected if you recognize any of these malware symptoms:

  • Slow computer performance
  • Erratic computer behavior
  • Unexplained data loss
  • Frequent computer crashes

Arming yourself with the best protection

When you arm yourself with information and resources, you’re wiser about computer security threats and less vulnerable to threat tactics. Take these steps to safeguard your PC with the best protection:

Make sure that you have the best security software products installed on your computer:

  • Use anti-virus protection and a firewall
  • Get anti-spyware software
  • Always keep your anti-virus protection and anti-spyware software up-to-date (Webroot SecureAnywhere updates automatically)
  • Update your operating system regularly (most update automatically)
  • Increase your browser security settings
  • Avoid questionable websites
  • Only download software from sites you trust and carefully evaluate free software and file-sharing applications before downloading them

Practice safe email protocol:

  • Don’t open messages from unknown senders
  • Immediately delete messages you suspect to be spam

An unprotected computer is like an open door for malware. Firewalls monitor Internet traffic in and out of your computer and hide your PC from online scammers looking for easy targets. Products like Webroot SecureAnywhere Complete provide total protection from the most dangerous threats out there, thwarting them before they can enter your PC, and standing guard at every possible entrance of your computer to fend off any malware that tries to enter, even the most damaging and devious strains.

While free anti-virus software is available, it simply can’t offer the consistent protection that you need to keep up with the continuous onslaught of new strains. Previously undetected forms of can often do the most damage, so it’s critical to have up-to-the-minute protection that won’t take a break to update and miss the oncoming threat.

Malware as a Service: As Easy As It Gets

 

 

If you’ve ever been infected with serious malware, you may have assumed the culprit is a person sitting in the basement of their mom’s house, or a small group of people huddled in a garage somewhere. It’s really not that simple.  There’s a whole global cyber underground network that’s working diligently to make all this happen for you. It’s the lucrative cyber black market. Mostly everyone has heard the term “black market” at least a few times. It’s referenced in many movies and is often heard on the news when speaking of criminal activity and the purchasing of illegal materials or services.

Malware-as-a-Service is a prosperous business run on the black market that offers an array of services and isn’t just limited to malware or bits of code. And you don’t have to be a computer expert either. Anyone can purchase code that will cause harm to a person’s computers or even hold it for ransom. But once purchased, what are you going to do with it? How will investing in this piece of malware return a profit? There’s still the challenge of getting it out there, getting your potential victims to run the payload for the newly purchased malware on their computer. And most importantly, cashing out on the investment. This is where the entire business model of Malware-as-a-Service comes into play.

It’s all offered in the cyber black market and functions no different than the global markets we hear of. Due to its low key nature, it’s difficult to say exactly how much money is generated from Malware-as-a-Service in this market. But it would be no surprise if it stretched up into the billions.  In this market it’s possible to purchase all the necessary pieces to make it as easy as possible for the investors to profit.

 

MAAS

 

First level: The highly skilled elite programmers or engineers who write malware, develop exploits, and are general researchers. This can be an individual or individuals working together.

Second level: Here are the spammers, botnet owners, distributors, hosted system providers. These people are also skilled, but not always elite. This is where the distribution is handled

Third level: The money mules, treasurers, financial data providers.

These three levels fall under the umbrella of Malware-as-a-Service that can be sold and purchased as an entire package or individual services by a vendor.

The individuals involved aren’t always strictly black hat. There are also grey hat hackers, otherwise known as freelancers who are simply looking to make a profit. A programmer can sell a zero day exploit to the vendor of a software as a bounty. However that same exploit might be able to fetch a far greater profit if sold on the black market. A perfect example of this is Facebook, who offers a minimum of $500 for anyone who can hack their site. With over 700 million users, a Facebook exploit can sell for a pretty hefty price in the black market. As malware becomes more profitable this type of business model will continue to grow.

 

 

Malvertising: When Ads Go Rogue

Advertisements on the internet are no longer just a nuisance. They are now also potentially dangerous. Even sticking to widely used and trusted websites can be risky, as the banner ads they contain may be carrying malicious code.

“Malvertising”, a combination of “malware” and “advertising”, is the technique of using trusted ad networks to deliver malware-loaded advertisements to users on trusted websites. This is not a new technique, but over the last couple of years its use has grown exponentially by cybercriminals because it is so effective.

According to David Kennerley, Sr. Threat Research Manager at Webroot: “Malvertising is a big problem and its return on investment for fraudsters suggests it’s not going away anytime soon.”

Most websites that have advertisements use “ad networks” to manage those ads, giving the site options for what type of ads to deliver to visitors. In a malvertising scenario, a cybercriminal will either hack into an ad network’s server or even sign a fraudulent contract with an ad network, posing as an advertiser in order to gain trust. They will then upload a seemingly legitimate advertisement that is loaded with malicious content, such as a Flash or Javascript exploit. The ad network unwittingly adds this malicious ad into its database so that its customers can choose it as one of multiple rotating ads. Or, it can take more of a social engineering approach and appear on your screen based on your browsing habits, which are tracked by tracking cookies.

Ad-Website pic

“Unfortunately, simply keeping to trusted websites no longer means you’ll stay safe,” said Kennerley. “The outsourced, distributed and chaotic nature of the online advertising industry means that even the world’s most popular websites have no visibility on the ad content displayed on their pages or its original source.”

In recent months, an additional level of complexity has been employed in these types of attacks: “Fingerprinting”, a method of uniquely identifying computers based on meta-data and file dumps. As online advertisers move away from human transactions and toward real-time ad bidding, cybercriminals are finding ways to better target their victims. Ad networks provide user meta-data to advertisers so that they can better advertise to consumers, but this same data can be used by cybercriminals to identify systems that can be exploited. For instance, if the meta-data reveals that a PC’s Adobe Flash is not up to date and a known exploit exists for their version of Flash, they will identify that PC as a target for attack.

malvertising flow chart

 

In addition to identifying potential victims, cybercriminals also use fingerprinting to identify networks and devices to avoid. For instance, if they choose to target only people in specific countries and avoid people in their own country, they can do so using geolocation data. This technique has also been used to evade security researchers by avoiding networks of security companies, making it more difficult to replicate and research these types of attacks.

With malvertising gaining popularity among cybercriminals, protecting yourself from this type of attack is critically important. “Internet users should keep their browsers fully patched, with appropriate in-built phishing and malware protection switched on,” advised Kennerley. “Browser add-ons should be kept up-to-date, with auto-play turned off; or better yet, disable or remove these commonly exploited add-ons completely. Ad-blocking software is becoming a must and of course a strong endpoint protection product is essential.”

What you need to know about the new KeRanger Ransomware.

 

Palo Alto Networks recently discovered ransomware hidden inside of the torrenting app ‘Transmission’. While this may come as a shock to those that still believe the Mac is a fortress that can’t be broken, the rest of us are not shocked at all. In fact, a few months back I wrote a blog warning Mac users not to dismiss Mac malware. It is time to take Mac security seriously. Apple does a great job for the most part, but in order to secure your information and your devices, you need a good Antivirus product.

Transmission app
Back to the threat at hand. This ransomware is bundled in with the Transmission Bittorrent client as a file called “General.rtf”. For most, this file looks like a simple real text file. However, it is actually a Mach-O 64-bit executable file that will execute three days after you run Transmission. This helps keep the ransomware hidden so that users wouldn’t suspect the app they are using for torrenting, but rather the torrents that they are pulling down as the source of infection.

infected file
After the three days, the app executes and drops a file called “kernel_service” into the user’s library directory. This process is named in such a way so as to confuse anyone that looks in Activity Monitor into believing that it is a system process. It then drops three more files in the user’s library: “.kernel_pid”, “.kernel_time” and “.kernel_complete”. It will collect the infected Mac’s model name and UUID then upload the information to one of its Command and Control servers.

 

Command and Control Servers

These servers will respond with a file named “README_FOR_DECRYPT.txt”, in which it explains how to get the key for decryption and the price for the key in bitcoins. The ransomware is able encrypt around 300 different types of file extensions that it finds in the “/Users/” directory and changes the file extension to end in “.encrypted”. This means that the family pictures that you keep on your Mac will now be labeled “GrandCanyon2010.jpg.encrypted” and cannot be opened.

 

Encryption Start point
One of the most important things to note is that the program is still a work in progress. There are many functions that have been found in the code that are not currently being used, like the ability to encrypt your Time Machine backup as well. This of course is the second wall of defense for many people, who believe that because they have a Time Machine backup, they can always just roll back their Mac if something happens.

To add some more context into the expansion of ransomware into the Mac OS, our David Kennerley recently commented in Global Security Mag:

“Given the potential gains for attackers, it’s no surprise that they are now diversifying and targeting OS X – a popular system with a large target base. Add to this the fact that many people believe they are safe from such malware when running OS X, this ransomware has the potential to impact a huge number of people.” 

You can locate the full article here.

I’ve said it before and I will say it again: Mac malware is real. Don’t be an Apple user that finds this out the hard way.

Threat Insights and Trends from the 2016 Threat Brief

Intro from the 2016 Threat Brief:

“2015 was yet another record year for cybercrime, during which more malware, malicious IPs, websites, and mobile apps were discovered than in any previous year. It comes as no surprise that the cybercrime ecosystem continues to thrive, given new innovations and little in the way of risk for those who choose to participate. The continued onslaught of hacks, breaches, and social engineering scams targeting individuals, businesses, and government agencies alike has caused many in the security field to ask if it’s truly possible to defend against a persistent attacker.

At Webroot, we believe it is possible to effectively protect enterprises and users, but only by understanding your adversary and the techniques they employ for their attacks.

Our approach and security solutions reflect our in-depth understanding of the threat landscape and how attackers think, to provide cutting-edge, proven next-generation protection and real-time detection of threats as they emerge. The Webroot 2016 Threat Brief provides a glimpse into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks seen by our users over the past year.”

 

The brief in its entirety can be found here.

 

However, in this blog, I want to talk about two sections of the Threat Brief and what I found to be most interesting. The first has to do with new malware discoveries and how often malware ensures it is unique with each new infection. The other has to do with the prevalence and targets of phishing attacks, as well as a tactic to improve your personal online security.

 

Before I go on, it is first important to talk about the source of this data. With respect to malware and phishing site encounters, these stats are pulled directly from Webroot SecureAnywhere users and their real world encounters with these threats. This is an important distinction as it enables us to calculate how frequently different types of attacks occur and the likeliness that an average user encounters such an attack.

 

Let’s begin with what was interesting in the malware detection data, mainly the fact that around 97% of the time, malware is unique to the system it infects. That is to say that the specific malicious file is never seen elsewhere. This is intentionally done by malware authors and distributors to make the discovery of their threats more difficult. The technology behind this technique is not new however, and is known as polymorphism. The overwhelming trend is that malware uses polymorphism, either on the server side where the malware is distributed from, or through the malware itself where with each new infection, the samples change. While polymorphic malware has been around for over a decade, it is now the norm for nearly all threats today.

 

Beyond the polymorphic trend, malware encounter data also showed that Webroot SecureAnywhere users encountered more threats on average than in 2014. The per-user infection rate in 2015 was 1.6 infections per customer, compared to 1.2 in 2014. What this means is that infections are more common and during the course of a year, you will more than likely be exposed to a threat. The good news for Webroot customers is that we’ve protected you from these threats. That said, our users were 25% more likely to encounter threats in 2015 than in 2014.

 

The last bit I want to talk about with respect to malware, is the speed at which churn between variants occurs. We measure this by counting the number of examples per variant that are discovered, on average, before no new samples show up and a new variant is discovered. In 2015, this number plummeted to 97 examples per variant compared to 2014 where nearly 700 examples were discovered. Ultimately, what this shows is that malware authors and distributors are speeding up their variant release process in their efforts to evade detection. Thankfully, the Webroot model for threat discovery isn’t affected by the speed of new malware development, and instead relies on awareness at each individual endpoint we protect. This ensures that even if the samples per variant drops to one, we are still aware of that individual threat and are able to identify and protect against the infection.

 

The second threat type I want to talk about is the notorious phishing attack. These are malicious websites that impersonate legitimate websites as they look to steal login credentials and more. The vast majority of phishing URL’s show up in carefully crafted emails that use social engineering techniques to encourage some call to action. A common example is an email claiming your account has been suspended and to log in to restore access.

 

In 2015, over 4 million phishing URL’s were clicked on by Webroot SecureAnywhere users. The good news is that none of these users had the chance to give away their credentials as SecureAnywhere blocked the URL’s page from loading. The bad news is that that the volume of phishing URL’s has increased considerably over 2014. In 2015, about 50% of WSA users clicked on a phishing URL compared to 30% in 2014. There are a number of factors that are responsible for this increase, but the two main ones are that phishing sites are inexpensive to host and that they are an effective method for collecting credentials. In so long as people can be tricked into clicking on a malicious link, phishing sites aren’t going anywhere.

 

The other interesting data around phishing site detection surrounds correlating the phishing site to the company or entity that is being impersonated. In the Threat Brief, we break them into two main categories which are financial institutions and technology companies. When looking at all phishing sites discovered in 2015, a little more than 2/3 of sites were targeting a technology company such as Google or Apple. This might sound odd as you might think that breaking into someone’s bank account would be more valuable. However, quite the opposite is true. Google is by far the number one target of phishing attacks because the value of breaking into someone’s primary email account is very high. The reason is that an email account provides information about what other accounts an individual has (including financial accounts), as well as the ability to reset those accounts’ passwords as the password reset option validates through the associated email address.

 

This brings me to my final point, which is less about phishing and more about email security. The number one tip I recommend to help improve personal online security is to make sure your primary email account password is unique from all other passwords. This ensures that your email is difficult to break into when a password for another site is compromised. This happens all-too-often by no fault of a user, but rather because businesses are often attacked and credential data is compromised. The first thing hackers do with stolen credential data is to see what other accounts can be accessed. If your email password is unique, there is no chance of it being compromised through a collateral attack.

 

There are many other interesting observations in the full 2016 Threat Brief, and I encourage you to read the full report.

 

 

Cyber Threat Actors

Cyber threats come from a wide array of sources, but can be grouped into three categories:

Hacktivists
These are tech-savvy individuals who are normally motivated by morality. These individuals are also classed by many (including the FBI) as terrorists. One of the main hactivist groups out there is anonymous. This group rose from one of the most popular image boards on the internet, 4chan, where users could post anonymously. Many of the influential figures in 4chan have now left, including the board founder moot (Christopher Poole). 4chan is no longer the entity it used to be. One of the most infamous attacks conducted by anonymous was Project Chanology, where the group targeted scientology.  Famously anonymous retrieved a video of Tom Cruise from the scientology group that was not intended to be seen by the general public: https://www.youtube.com/watch?v=UFBZ_uAbxS0

Cyber Criminals
These are individuals who are motivated by money. These are the people who are responsible for the distribution of ransomware. This is a very lucrative business. It was reported in 2013 that cryptolocker made over $30 million in 100 days. Politcal borders make it appealing for criminals to employ these tactics of making money as it is very hard to prosecute them. The encryption that ransomware hits these machines with is normally unbreakable, with the FBI encrouraging individuals to pay the ransom: http://uk.businessinsider.com/fbi-recommends-paying-ransom-for-infected-computer-2015-10?r=US&IR=T .

It has been observed that some ransomware variants have holes and can be cracked (most notably the linux encoder variant which was targeting web servers). Ransomware isn’t the only tactic cyber criminals employ. Another tactic they employ are botnets. This is where a criminal infects your computer, unknowingly to the individual. The criminal can then take control of the victims computer at any time for whatever purpose they see fit. Normally the attacker will either extract information from the victim, monitor the victim or use the victims computer to attack other systems. A recent case to note in relation to botnets is the arrest of one of the administrators of the Dridex botnet, Andrey Ghinkul. This arrest shows that law enforcement are making a good effort to tackle this problem.

State-Sponsored Threat Actors

These are individuals who are sponsored by a government. They act in political interest of the government sponsoring them. It has been reported by FireEye that China has over 20 APT (advanced persistent threat) groups. APT1 (dubbed by Mandiant) is linked with China’s PLA Unit 61398. It is believed this unit occupies a 12 story building employing hundreds of hackers. These groups pose a particular threat to the US, with the FBI putting some of the people involved on their most wanted list: https://www.fbi.gov/news/news_blog/five-chinese-military-hackers-charged-with-cyber-espionage-against-u.s . China isn’t the only country known for sponsoring cyber attacks. The revelations of Edward Snowden reveals much on the NSA’s antics. Another example of a state sponsored cyber attack is where Turkeys internet servers were attacked a couple of months ago, with the blame being pointed at Russia: http://www.todayszaman.com/anasayfa_political-hackers-suspected-as-turkey-suffers-intense-cyber-attack_407781.html