Ransomware: Affected Platforms & Devices

[Back to the Ransomware Resource Page]

  • HPI iLO
  • ElasticSearch
  • MongoDB
  • Instagram
  • Windows
  • Microsoft Office
  • OS X (macOS)
  • The Internet of Things (IoT)
  • Android
  • iOS
  • Linux
  • Ransomware and Healthcare
  • Ransomware and the Public Sector
  • Ransomware and Education
  • Multi-platform
  • WordPress

File-encrypting ransomware is usually aimed at Windows users but we are aware of an increasing number of instances of ransomware that specifically target other platforms.

HPE iLO

Bleeping Computer: Ransomware Hits HPE iLO Remote Management Interfaces “Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. ”

ElasticSearch

Darren Pauli for The Register: MongoDB hackers now sacking ElasticSearch – Open season on open services

MongoDB

Following reports of tens of thousands of MongoDB database installations attacked with ransomware, the maker published advice on how to avoid unsafe defaults. Thomas Claburn for The Register (11th January 2017):

How to secure MongoDB – because it isn’t by default and thousands of DBs are being hacked – Stop right now and make sure you’ve configured it correctly

Instagram

Graham Cluley regarding a 16-year-old accused of demanding money from victims for regaining access to their Instagram accounts: COULD YOUR SELFIES BE HELD TO RANSOM? ALLEGED INSTAGRAM ACCOUNT HACKER ARRESTED

Windows

Article from Checkpoint: Digging Deeper: How Ransomware and Malware use Microsoft Windows’ Known Binaries

Looks at processes:

  • svchost.exe
  • explorer.exe
  • sdbinst.exe

And also at specific malware/ransomware:

  • Cryptowall (ransomware)
  • Dridex (banking malware, but its name has been mentioned a lot lately in connection with ransomware distribution campaigns)
  • Tinba (Tiny Banker)

Microsoft Office

[26th February 2018]

An article for HelpNet by Jeff Erramouspe (Spanning Cloud) on How to protect Office 365 data from ransomware attacks.

Not a technical article, but not bad advice, and I haven’t publicized a how-to article on ransomware for quite a while.

“Ransomware, in particular, has introduced significant risks for Office 365 users. Cerber ransomware, for example, targeted Office 365 and flooded end users’ inboxes with an Office document that invoked malware via macros, and the now infamous WannaCry attack was engineered to take advantage of a Microsoft vulnerability. And now we have an even more insidious ransomware strain with ShurL0ckr – designed to evade the built in malware protection on OneDrive and Google Drive.”

[20th June 2017]

Sophos: SophosLabs analysis: why the surge in Word docs hiding ransomware?

Particular reference to ‘ migration of VBA Malware to PDF, a mouse-over PowerPoint infection and the adoption of CVE-2017-0199 into Exploit builder kits.’

29th June 2016

Avanan: Widespread Attack on Office 365 Corporate Users with Zero-day Ransomware Virus

SC Magazine commentary

The Register commentary: Ransomware scum target corporate Office 365 users in 0-day campaign – Spam flood tried to drop malicious macros in inboxes

Commentary from SANS

OS X (macOS)

[23rd December 2017]

Monica Chin’s article for Mashable – Here’s how to guard your Mac against ransomware – isn’t the general guide to self-protection that you might think from the title. It’s actually about a specific attack via iCloud, where attackers have gained access to account names and passwords and used them to lock them out of their devices.

Chin says:

If this happens to you, you’ll have to bring your computer into an Apple Store and verify your identity to regain access to it. Otherwise, the only ways to get back control of your machine is to perform a hard reset (which would mean losing all the data) or pay the hackers and pray.

The article is actually several months old, but I’m flagging it here because the same problem – or one very closely related – has crossed my radar recently.

[4th July 2017]

AV-Test offers an interesting aggregation of 2016/2017 malware statistics in its Security Report here.

Particularly relevant to this section:

  • Looking at the growth in malware for specific platforms, AV-Test notes a decrease in numbers for malware attacking Windows users. (Security vendors needn’t worry: there’s still plenty to go round…)
  • On the other hand, the report says of macOS malware that ‘With an increase rate of over 370% compared to the previous year, it is no exaggeration to speak of explosive growth.’ Of Android, it says that ‘the number of new threats … has doubled compared to the previous year.’

[9th June 2017, updated 15th June]

(MacSpy isn’t ransomware, but seems to have been developed by the same author, and both are offered as as-a-service malware.)

Zeljka Zorz for HelpNet Security: Two Mac malware-as-a-Service offerings uncovered. According to HelpNet ‘Patric Wardle’s RansomWhere? tool can also stop MacRansomware from doing any damage.’

Rommel Joven and Wayne Chin Yick Low, for Fortinet: MacRansom: Offered as Ransomware as a Service

Sophos: More evidence Mac ransomware exists

Fortinet notes that “Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file…”

AlienVault: MacSpy: OS X RAT as a Service

[22nd February 2017]

MARC-ETIENNE M.LÉVEILLÉ for ESET: New crypto-ransomware hits macOS – malware that calls itself ‘Patcher’

[15th February 2017]

Article from Sophos: RSA 2017: Deconstructing macOS ransomware

[6th January 2016]

Article for this site: Support Scammers hit Mac users with DoS attacks. Jérôme Segura (for Malwarebytes) examines another DoS attack somewhere on the thin borderline between ransomware and tech support scams.

——————————————-

There are instances of Javascripts that mess with Safari. I’ve seen it suggested that Cryptowall works on OS X, but I’m pretty sure that was based on media misinterpretation of Cisco’s analysis of Cryptowall 2.0. (But since Cryptowall continues to be developed, who knows what surprises they have in store?)

I’ve recently seen blogs from OPSWAT and Symantec suggesting that the Mabouia ransomware is a wake-up call to Mac users that they need antivirus software. I’m certainly not going to say that security software isn’t relevant to OS X users who’ve already been targeted by significant attacks, and it’s not at all impossible that criminals will invest more effort into adding the sizeable population of OS X users to their pool of potential victims, but the sky has not yet fallen. The impact of this Proof of Concept attack has yet to be seen.

See also this blog from Pierluigi Paganini and a video from Rafael Salema Marques who developed it.

There was a story from Kaspersky back in 2014 about Unfinished ransom.a.r MacOS X, which they called Trojan-Ransom.OSX.FileCoder.a but it barely made a ripple.

While working on an internal project at ESET, I came across an article I wrote for Information Security Magazine back in 2013: Mac Ransomware Deviating from the (java)script. With the recent kerfuffle about KeRanger, it’s interesting to recall one of its (rare) OS X targeting precursors. In this case, there wasn’t actually a malicious executable as such, and the whole system wasn’t really locked, even though a pop-up told the victim that his or her browser was locked and that ‘ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.’ However, the pop-up did make it very difficult to quit Safari, which was probably scarier than it sounds for the victims. The story was based on an article by Jérôme Segura for Malwarebytes. Irritatingly, there doesn’t seem to be a link in my article, but this looks like Jérôme‘s article: FBI Ransomware Now Targeting Apple’s Mac OS X Users

[21 April 2016]

8th July 2016

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

KeRanger

Palo Alto reported on March 6th 2016 that New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer: they believe this to be ‘the first fully functional ransomware seen on the OS X platform.’ At any rate, it looks like a capable piece of malware. According to fortune.com,  Palo Alto plans ‘to release a blog advising Mac users on ways to check to see if they were infected with the virus and steps they can take to protect against it harming their data’.

[Updated 7th March 2016:

According to a ComputerWorld story, and confirmed by other sources, Apple has revoked the certificate of the compromised version of BitTorrent client Transmission and updated Xprotect.]

[14th April 2016] F-Secure’s Mikko Hypponen believes that Keranger’s is a forerunner of ransomware targeting not only local files but backups stored on network-attached and in-the-Cloud devices. In-the-cloud? Techrepublic states:

However, analysis of KeRanger also revealed work-in-progress code intended to also scramble files backed-up to attached storage via OS X’s Time Machine service.

The Internet of Things (IoT)

8th August 2016

At this year’s Def Con, Andrew Tierney and Ken Munro demonstrated how they created full-blown ransomware to take control of an unnamed brand of smart thermostat ‘and lock the user out until they paid up.’

[22nd July 2016]

My friend and colleague Stephen Cobb, for ESET, recently posted an article on Jackware: When connected cars meet ransomware. He says:

I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.

Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”

So speculation, but informed speculation, a hot topic, and well-written (of course).

———————————————

An article for Trend Micro by Echo Duan illustrates one of the complications of having an operating system that works on and connects all kinds of otherwise disparate objects: FLocker Mobile Ransomware Crosses to Smart TV.

Of course, embedded versions of operating systems such as other versions of Linux, Windows and so on, are not in themselves novel. FLocker, however, seems to lock smart TVs as well as Android phones, as long as they’re not located in one of a number of Eastern European countries. It claims to be levying a fine on behalf of a law enforcement agency. Apparently another of these agencies that prefers its fines paid in iTunes gift cards. As Zeljka Zorz points out for Help Net Security, this doesn’t say much for the credibility of the criminals, but if your device and data have become unavailable to you, knowing that they’re criminals and not the police doesn’t help much.

While the malware locks the screen, Trend tells us that the C&C server collects ‘data such as device information, phone number, contacts, real time location, and other information. These data are encrypted with a hardcoded AES key and encoded in base64.’

Unsurprisingly, Trend’s advice is to contact the device vendor for help with a locked TV, but the article also advises that victims might also be able to remove the malware if they can enable ADB debugging. How practical this would be for the average TV user, I don’t know.

Back in November 2015 Candid Wueest wrote for Symantec on How my TV got infected with ransomware and what you can learn from it, subtitled “A look at some of the possible ways your new smart TV could be the subject of cyberattacks.” Clearly, this particular aspect of the IoT issue has moved beyond proof of concept.

Just as I was about to post this, I noticed additional commentary by David Bisson for Graham Cluley’s blog. He notes that there’s an interesting resemblance between FLocker’s interface and the earlier ‘police’ ransomware he calls Cyber.Police.

Camilo Gutierrez, one of my colleagues at ESET (security researcher at the Latin America office) notes that:

Proof-of-concept tests have already been performed where, for example, control of an automobile has been successfully effected totally remotely. For this reason, if the necessary precautions are not taken by manufacturers and users, there is nothing to prevent an attacker from seizing control of a device’s functionality and demanding money to return control. Perhaps this is not a threat we expect to see much of in the near future, but we shouldn’t lose sight of it if we are to avoid serious problems later.

(That whole section in the ESET report is worth thinking about.)

Better Business Bureau article: BBB: Staying aware of ‘ransomware’ smartphone scammers. I think what we’re seeing is not a resurgence, but a steady evolution of malware as described in that ESET report

[26th April 2016] A report by  the Institute for Critical Infrastructure Technology (ICIT) is actually fairly generalist and speculative, in particular in its short mention of the Internet of Things, but it’s been picked up by Matt Klassen – IoT Infrastructure is Ripe for Ransomware – and Danny Palmer – Why the Internet of Things is the next target for ransomware: Devices from pacemakers to cars could be rendered useless by ransomware infections, warns a think tank – as a dramatic inevitability, rather than as an interesting speculation. That said, this article does quote the report as saying that “The only defense is a layered defense, of which endpoint security is an essential layer”, with which I pretty much agree, while deploring the phrase ‘next-gen cyberfortification’.

[27th April 2016] For ESET’s WeLiveSecurity blog, Graham Cluley considers – Ransomware and the Internet of Things – another report by the Institute for Critical Infrastructure Technology on ransomware, by the same authors . It takes up the same theme of ‘The only defense is a layered defense’. On the whole, I like Combatting the ransomware blitzkreig better than the report noted above, and I agree that:

‘…the issue the ICIT is raising in this report is not too far fetched…’

And certainly we should be

‘…more concerned that security is treated as a priority by all companies manufacturing internet-enabled devices.’

Ransomware attacks on the Internet of Things (and certainly how imminent they are) remain largely speculation rather than fact, but the time to prepare for such attacks is before they start. In any case, it’s well worth looking now at the other issues raised by the report. I can’t say I agree with every word, but there’s lots of good information here.

A somewhat overheated summary of the ICIT report: Why the Internet of Things is the next target for ransomware – Devices from pacemakers to cars could be rendered useless by ransomware infections, warns a think tank. (April 25th 2016).

Will ransomware spread to the IoT? Of course, and we’ll learn the hard way about manufacturers who didn’t bake security into their devices. Soon? Dunno. Will the world go into meltdown? Unlikely. The IoT is spread over too many disparate devices and platforms for an instant worldwide catastrophe.

A curate’s egg of data and speculation from Symantec and Black Hat via CSO Online: Report: IoT is the next frontier for ransomware

Android

[15th February 2018]

ESET: Android ransomware in 2017: Innovative infiltration and rougher extortion

“To find out more about ransomware on Android, the nastiest variants of the past year, as well as the most noteworthy examples since 2013, read the new whitepaper by ESET: Android Ransomware: From Android Defender To Doublelocker.

[8th December 2017]

Dawn Kawamoto for Dark Reading:  Android Ransomware Kits on the Rise in the Dark Web – “More than 5,000 Android ransomware kit listings have been spotted so far this year, with the median price range hitting $200.”

[24th October 2017]

David Bisson for Tripwire: LokiBot Banking Malware Triggers Ransomware if User Tries to Remove It 

[13th October 2017]

ESET reports that “ESET researchers have spotted the first-ever ransomware misusing Android accessibility services. On top of encrypting data, it also locks the device.”

DoubleLocker: Innovative Android Ransomware

DoubleLocker: ESET interview with Lukáš Štefanko:

[18th July 2017]

Catalin Cimpanu: GhostCtrl Is an Android RAT That Also Doubles as Ransomware

… can lock mobile device by resetting their PIN and display a ransom note to infected victims.

These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections…

…according to Trend Micro, is a heavily customized version of OmniRAT — a multi-purpose RAT … that can target four major operating systems: Android, Linux, macOS, and Windows.

 Trend Micro report cited by Cimpanu.

[13th July 2017]

David Bisson for Graham Cluley’s blog: LeakerLocker ransomware threatens to dox Android users as extortion – Digital threat spotted in two apps on Google’s Play Store.

[7th July 2017]

Trend Micro: SLocker Mobile Ransomware Starts Mimicking WannaCry

[4th July 2017]

AV-Test offers an interesting aggregation of 2016/2017 malware statistics in its Security Report here.

Particularly relevant to this section:

  • Looking at the growth in malware for specific platforms, AV-Test notes a decrease in numbers for malware attacking Windows users. (Security vendors needn’t worry: there’s still plenty to go round…)
  • On the other hand, the report says of macOS malware that ‘With an increase rate of over 370% compared to the previous year, it is no exaggeration to speak of explosive growth.’ Of Android, it says that ‘the number of new threats … has doubled compared to the previous year.’

[June 27th 2017] Tom Spring for Kaspersky: SVPENG BEHIND A SPIKE IN MOBILE RANSOMWARE. In Ransomware in 2016-2017 “In its analysis, Kaspersky Lab singled out two malware families, Svpeng and Fusob, as dominating the mobile ransomware space.”

ZScaler: “New Android ransomware bypasses all antivirus programs – Infection continues even after the victim pays the ransom”. Despite the sensationalist title and the four hour gap between download and activation, it isn’t actually difficult to detect. ESET detects it as Android/Locker.KB. Some sources describe it as a PornDroid variant.

[February 23rd 2017] Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

[February 20th 2017]

ONDREJ KUBOVIČ for ESET: Trends in Android ransomware

[January 2017]

The Register: More mobe malware creeps into Google Play – this time, ransomware – Charger seeks to drain bank accounts of unlucky ‘droids. Source, Checkpoint: Charger Malware Calls and Raises the Risk on Google Play

December 28th 2016:

Software engineer Darren Cauthon tweeted about how: ‘Family member’s tv is bricked by Android malware. #lg wont disclose factory reset. Avoid these “smart tvs” like the plague.’

To put this into some perspective, this isn’t a recent model: he explains that ‘It was one of the first google tvs.’ (Google TV is no longer supported, and LG smart TVs now run on WebOS, apparently. However, Google is said to be working on another Android-based platform.)

Catalin Cimpanu reports for Bleeping Computer that ‘Cauthon says he tried to reset the TV to factory settings, but the reset procedure available online didn’t work.’ When contacted, it seems that LG suggested that an engineer could reset the TV at a cost of $340. Cimpanu suggests that the malware is probably FLocker (a.k.a. Dogspectus).

Commentary by David Bisson for MetaCompliance here.

December 21st 2016

Faketoken

Romain Unuchek for SecureList: The banker that encrypted files

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. In Lucian’s article he links to a September article by Anton Kivva on Tordow (see below), not to the one he quotes  by Romain Unuchek (as above) on Trojan-Banker.AndroidOS.Faketoken. I’ve messaged him, so that may have changed by the time you read this.

Commentary by Richard Chirgwin for the Register: Bad news, fandroids: Mobile banking malware now encrypts files – First Faketoken stole credentials, now it holds data to ransom

Tordow

Anton Kivva for Kaspersky (September 20th 2016), describing malware discovered in February 2016 (Trojan-Banker.AndroidOS.Tordow.a): The banker that can steal anything.

According to Comodo (December 13th 2016), a ‘2nd version’ has acquired extra functionality characteristic of ransomware: Comodo Threat Research Labs Warns Android Users of “Tordow v2.0” outbreak. They refer to it as Android.spy.Tordow.

Commentary by Lucian Constantin: Mobile banking trojans adopt ransomware features – Two Android trojans that steal financial information and login credentials now double as file-encrypting ransomware programs. (The other malware he’s referring to is Faketoken, though in Lucian’s article he links to the September article by Anton Kivva, not to the one he quotes  by Romain Unuchek. I’ve messaged him, so this may have changed by the time you read this.)

October 16th 2016

Interesting statistics from BitDefender : Ransomware becomes the main threat on Android in the US, UK, Germany, Denmark, Australia.]

August 10th 2016

Lengthy description/analysis of an interesting Android ransomware threat from McAfee: ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel.

I look forward to hearing commentary from Grumpy Cat. There is, however, no truth in rumours of a German language version known as BlackForestGato.

September 29th 2016

Older versions of screenlockers often labelled  Android.Lockscreen denied Android users access to their own devices by locking the screen using a hardcoded passcode, which could be found by reverse engineering. However, as Dinesh Venkatesan reports for Symantec:

New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom.

Symantec’s article: Android.Lockscreen ransomware now using pseudorandom numbers – The latest Android.Lockscreen variants are using new techniques to improve their chances of obtaining ransom money.

Commentary by David Bisson for Tripwire.

 [Added 15th July 2016 and published as separate article on this site]

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

[Added 7th July 2016]

Kaspersky report on growth in Android ransomware: KSN Report: Mobile ransomware in 2014-2016

Commentary by John Leyden for The Register: Android ‘ransomware surge’

[Also added 7th July 2016, copy/pasted from the Mac Virus blog]

Graham Cluley describes How Android Nougat will help protect your password from ransomware – New condition will partially prevent unwanted Android lockscreen password resets.  The new OS upgrade will change the resetPassword API so that it can set a lockscreen password, but can’t reset it.

Which means that the new OS won’t stop malware setting the password if the user hasn’t already set one. Which sounds like a pretty good extra incentive to set one if you haven’t already. However, it looks as though it will also stop security software from disinfecting an upgraded phone if it becomes infected.

Nougat (Android 7.0) is scheduled to be rolled out later this year (2016).

[Added 25th May 2016]

For Malwarebytes, Chris Boyd reports on the Cyber.Police Android ransomware posing as an ‘Adult Player”, and its ludicrous claim that the victim can pay a ‘Treasury’ fine with iTunes gift cards. Who’d have thought that law enforcement were such dedicated music lovers?

[Added 18th May 2016]

SonicWALL warns of an embryonic screenlocker that it expects to see more of in the future. Commentary by Kaspersky – MALWARE-LACED PORN APPS BEHIND WAVE OF ANDROID LOCKSCREEN ATTACKS – and The Register: Smut apps infecting Androids with long-gestation nasties – Is that a KitKat in your pocket or are you just trying to p0wn me?

[Added 18/2/2016]

Just published: an excellent paper from ESET on The Rise of Android Malware. See also the introductory blog article here.

Android ransomware has been evolving from simple screen-locking malware to Simplocker, “the first Android ransomware to actually encrypt user files“, to Lockerpin, a type of screenlocking ransomware that modifies the phone’s unlock code so that as another ESET colleague – malware researcher Lukas Stefanko – puts it:

…users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.

 

iOS

iOS ransomware is unusual, but not entirely unknown: see The Increasingly Strange Case of the Antipodean iOS Ransomware. However, some of what are seen as iOS ransomware messages may actually be variations on the tech support scam theme where the pop-up locks the browser but not the device (and even the Safari issue can be fixed). I think this is the case with the ‘iScam’ noted in a Better Business Bureau article: BBB: Staying aware of ‘ransomware’ smartphone scammers

3rd April 2017

David Bisson for Graham Cluley’s site: Scareware scammers lock iOS Safari to extort ransom from users – Apple’s latest iOS update has since burned this flawed campaign… Based on Lookout’s blog Mobile Safari scareware campaign thwarted.

8th July 2016

For CSO Online, Steve Ragan describes how Ransom demands are written in Russian via the Find my iPhone service. Here’s how he describes the attack:

It starts with a compromised Apple ID. From there, the attacker uses Find My iPhone and places the victim’s device into lost mode. At this point, they can lock the device, post a message to the lock screen and trigger a sound to play, drawing attention to it.

Thomas Reed also described a similar attack a few months back using iCloud’s ‘Find My Mac’.

Ragan also mentions ‘a rumor concerning “rumblings of a massive (40 million) data breach at Apple.”‘ I’ve seen no confirmation of that anywhere, but it’s certainly a good time to check that your AppleID credentials are in good shape.

Commentary by Graham Cluley here. You might want to consider taking up his suggestion of  enabling two-step verification on your Apple ID account, too.

Linux

Linux has attracted some attention recently. Notably:

FairWare Linux ransomware: Reported on Bleeping Computer here.

Description by David Bisson for Tripwire: Website Down? New FairWare Ransomware Could Be Responsible

For the Register, Darren Pauli reports Plain cruelty: Boffins flay Linux ransomware for the third time – World’s most determined VXers can’t get a break.

The article refers to the ransomware commonly classified as Linux.Encoder, for which BitDefender has published a decryption utility addressing the ransomware gang’s third attempt to generate ransomware for which the security industry won’t be able to provide a free fix. No cigar this time, either…

Amusing as this may seem, BitDefender’s crypto specialist Radu Caragea rightly points out that:

“Next time, hackers could actually come up with a working version of the ransomware that won’t be as easy to decrypt.”

Sadly, the days are gone when you could rely on the security industry to come up with a way of getting your files back (not that there was ever a time when recovery was guaranteed). Detecting the malware is one thing: too often, recovering files is much tougher. You really need to ensure that you have backups available even if your system is trashed.

Sophos apparently has a When Penguins Attack podcast, aimed at anyone who still thinks Linux is impregnable.

Ransomware and Healthcare

10th October 2016

Cahal Milmo for iNews: Dozens of NHS hospitals targeted by cyber blackmailers

22nd July 2016

The fact sheet from HHS Office of Civil Rights on ransomware, HIPAA compliance and enforcement, and commentary from Kevin Fu on why the presence of ransomware (or any other malware) ‘is a security incident under the HIPAA Security Rule.’

7th July 2016

The many faces of ransomware by Morphisec’s Mordecai Guri for Help Net Security, focuses largely on ransomware targeting the healthcare industry.

25th May 2016: Paul Ducklin’s commentary for Sophos on Ransomware-hit hospital faces second demand despite paying up

Help Net Security’s article Crypto ransomware hits German hospitals, based on this article from DW, also includes links to its story about the attack on the Hollywood Presbyterian Medical Center, and another story about a New Zealand hospital  hit with Locky. Commentary by John Leyden for The Register here.  And an article from My News LA about an apparent attack on the Los Angeles Department of Health.

As far as I can make out there is no firm indication of links between all these attacks, or that hospitals are being specifically targeted by specific malware, but the clustering is worrying.  If nothing else, it is clear that hospitals, like any other organization, survive such attacks better if they have suitably-protected backups and other well-administered security precautions in place.

 for Malwarebytes on Canadian Hospital Serves Ransomware Via Hacked Website..

Graham Cluley for Tripwire on how Ransomware Forces Hospitals to Shut Down Network, Resort to Paper, relating to the ransomware attack on the MedStar Health group of hospitals (29th March 2016)

31/3/2016: I do not like that SamSam-I-am ransomware

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

Pierreluigi Paganini: Why malware like the Samsam ransomware are so dangerous for hospitals?

[June 7th 2016]

Fortinet: Move over Healthcare, Ransomware Has Manufacturing In Its Sights

Ransomware and the Public Sector

Widening the discussion slightly to the public sector and beyond…

Kat Hall reports for The Register on an attack against North Dorset Council apparently involving 6,000 files compromised by ransomware. The council refused to pay the ransom and are quoted as saying:

“The ‘ransomware’ attack was quickly detected by our security systems and action was taken to minimise the impact on our systems. No customer data was compromised.”

G-Data’s Eddy Willems is quoted as saying that organizations are being targeted that are less likely to have up-to-date protection and therefore more likely to pay the ransom. ESET’s Mark James didn’t suggest specific targeting, but did observe that public sector organizations are vulnerable because of the sensitivity of the data they hold and the fact that they are likely to be hampered by budget constraints.

Having spent much of my life working for the National Health Service, I’m all too aware of those constraints, and have a great deal of sympathy for executives who have to walk the tightrope between the need for the best affordable security and the need to prioritize direct spending on patient care.   Similar concerns apply in other public sector organizations, charities and so on. When it comes to ransomware, however, the risk it poses to client data and wellbeing does call for an effective security strategy that prioritizes data and system backups and data recovery. It sounds as if the Council in this case were properly prepared.

Help Net Security’s article Crypto ransomware hits German hospitals, based on this article from DW, also includes links to its story about the attack on the Hollywood Presbyterian Medical Center, and another story about a New Zealand hospital  hit with Locky. Commentary by John Leyden for The Register here.  [Added later: Commentary by John Leyden for The Register here. And I’ve just caught up with an article from My News LA about an apparent attack on the Los Angeles Department of Health.]

As far as I can make out there is no firm indication of links between all these attacks, or that hospitals are being specifically targeted by specific malware, but the clustering is worrying.  If nothing else, it is clear that hospitals, like any other organization, survive such attacks better if they have suitably-protected backups and other well-administered security precautions in place.

Going beyond healthcare to the Critical National Infrastructure (though in the UK the NHS is considered part of the CNI, or was…), here’s one of the articles relating to an electric utility in Michigan all but shut down by ransomware: Electric utility hit by ransomware shuts down IT systems for a week (Sophos, 4th May 2016)

Ransomware and Education

[June 8th 2016]

David Bisson for Tripwire: University Pays $20K Ransom Following Ransomware Attack

And because the University of Calgary has a special place in virus creation history: Symmetry and Virus Writing

Multi-Platform

Catalin Cimpanu: GhostCtrl Is an Android RAT That Also Doubles as Ransomware

… can lock mobile device by resetting their PIN and display a ransom note to infected victims.

These ransomware capabilities have been observed in the source code of GhostCtrl, but not in real-world infections…

…according to Trend Micro, is a heavily customized version of OmniRAT — a multi-purpose RAT … that can target four major operating systems: Android, Linux, macOS, and Windows.

 Trend Micro report cited by Cimpanu.

WordPress

[18th August 2017]

Ransomware targeting WordPress sites

WordFence, which offers a security plugin for WordPress sites, reports on Ransomware Targeting WordPress – An Emerging Threat, claiming to have ‘captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.’

I hope the company won’t mind my quoting this important paragraph:

If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.

Commentary by HelpNet Security here: EV ransomware is targeting WordPress sites

[Back to the Ransomware Resource Page]