Updates to Specific Ransomware Families and Types
The Register: Please forgive me, I can’t stop robbing you: SamSam ransomware earns handlers $5.9m – “Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker’s tools, techniques and protocols.” For ZDnet, Danny Palmer tells us that This destructive ransomware has made crooks $6m by encrypting data and backups – “Attackers behind destructive SamSam ransomware show no signs of giving up – and they’re now taking $300,000 a month in ransom from victims.”
Bleeping Computer: BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week – “In a PDF report published yesterday, Wyatt finally identified the “virus” as the BitPaymer ransomware. This ransomware strain was first spotted in July 2017, and it first made news headlines in August 2017 when it hit a string of Scottish hospitals.”
Updates to Tech support scams resource page
Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.”
Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”
Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.
An article by Emily Sweeney for the Boston Globe 5 things to know about ransomware is essentially a personal recollection of being a victim coupled with some basic advice, but it’s not bad advice. Except that the point I’d always stress about backups is the need to ensure that they’re not so easily accessible that reasonably advanced ransomware will be able to encrypt the backed-up material at the same time. And don’t access your offline backups until you’re sure the malware has been eradicated.
Meanwhile, a Spiceworks post describes a couple of very bad days for a sysadmin of which a Cryptowall attack was just a part. A salutary reminder that disasters aren’t always considerate enough to happen one at a time, and that it’s always worth over-engineering a corporate backup strategy.
Sean Gallagher (or at any rate an editor looking for an eye-catching headline) for Ars Technica tells us OK, panic—newly evolved ransomware is bad news for everyone – Crypto-ransomware has turned every network intrusion into a potential payday. I don’t think panic is the best response to the ransomware problem, but there’s certainly an argument for informed concern, and the article does describe some aspects that we should indeed be concerned about and take steps to address.
And for the Register, Iain Thompson summarizes the issues around SamSam’s migration from hospitals to schools and the should-have-been-patched-long-ago JBoss vulnerability that Talos has flagged previously.
Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.
Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that files are encrypted offline and C&C infrastructure is not used for payment.
The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM
Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous
Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.