Ransomware Roundup – 19th April 2016

Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.

An article by Emily Sweeney for the Boston Globe 5 things to know about ransomware is essentially a personal recollection of being a victim coupled with some basic advice, but it’s not bad advice. Except that the point I’d always stress about backups is the need to ensure that they’re not so easily accessible that reasonably advanced ransomware will be able to encrypt the backed-up material at the same time. And don’t access your offline backups until you’re sure the malware has been eradicated.

Meanwhile, a Spiceworks post describes a couple of very bad days for a sysadmin of which a Cryptowall attack was just a part. A salutary reminder that disasters aren’t always considerate enough to happen one at a time, and that it’s always worth over-engineering a corporate backup strategy.

Sean Gallagher (or at any rate an editor looking for an eye-catching headline) for Ars Technica tells us OK, panic—newly evolved ransomware is bad news for everyone – Crypto-ransomware has turned every network intrusion into a potential payday. I don’t think panic is the best response to the ransomware problem, but there’s certainly an argument for informed concern, and the article does describe some aspects that we should indeed be concerned about and take steps to address.

And for the Register, Iain Thompson summarizes the issues around SamSam’s migration from hospitals to schools and the should-have-been-patched-long-ago JBoss vulnerability that Talos has flagged previously.

David Harley

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.