Jérôme Segura examines another attack somewhere on the thin borderline between ransomware and tech support scams: Tech support scam page triggers denial-of-service attack on Macs. This is another instance of scammers encouraging victims to call a fake helpline by hitting them with some sort Denial of Service (DoS) attack: in this case, by causing Mail to keep opening email drafts until the machine freezes, or using iTunes., apparently to put up a fake alert.
Commentary by David Bisson for Tripwire: Tech Support Scam Creates Series of Email Drafts to Crash Macs.
Reported on Bleeping Computer here.
Description by David Bisson for Tripwire: Website Down? New FairWare Ransomware Could Be Responsible
Graham Cluley reports for Hot for Security that Only 38% of businesses believe they will recover from a ransomware attack. He cites a study by Tripwire – Survey: 62% of Companies Lack Confidence in Ability to Confront Ransomware Threat – based on the responses of security professionals at RSA 2016.
Interestingly, Tripwire also ran a Twitter poll asking ‘What is the most important step users can take to prevent ransomware infections?’
The options and responses were:
- 47% said ‘Don’t click suspect links’
- 37% said ‘Back up your data often’
- 11% said ‘Install software patches’
- 5% said ‘Use an AV solution’
I won’t complain about the low ranking of AV here: after all, no-one is suggesting, presumably, that all those options are mutually exclusive, and in fact they’re all steps people should be taking. But I can’t help wondering who these people are who click on a link even though it’s suspicious. Isn’t the point that so many people have such an unformed view of what ‘suspicious’ really means?
David Bisson describes Ransomware Propagation Tied to TeamViewer Account (UPDATED) for Tripwire. Here’s a thread on Bleeping Computer that seems to have been sparked by an early victim. Lawrence Abrams states that the malware is based on the much-abused EDA2 PoC. Analysis of all the reported cases seems to have pointed to the presence of TeamViewer on all affected systems and the implication of a specific TeamViewer account in a number of cases. Axel Schmidt, PR Manager at Teamviewer, is quoted as saying:
…none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.
Angler takes a lead role in an article by Graham Cluley for Tripwire: Crypto-ransomware Spreads via Poisoned Ads on Major Websites
Here are a couple of ‘what you need to know’ articles on ransomware. At some point I might come back to make a few comments about individual points, but in general, if you’re still puzzled as to what it’s all about, you might find some useful thoughts here.
Happy endings aren’t nearly as common as I’d wish in the world of ransomware, but David Balaban’s guest blog article for Tripwire offers a few instances where decryption didn’t mean paying a ransom:
The instances he cites include:
- Coinvault and Bitcryptor
Unfortunately, recovery tools are rarely forever, and often the scammer wises up and fixes the holes in his code. So there are many cases where paying up is the only way to get your data back, if you don’t have backups. But before you do pay up, consider Balaban’s advice and ‘describe your problem on computer help forums like Bleeping Computer orMalwarebytes.’ Or, of course, contact the company that makes your security software.
Don’t just assume that the scammers are evil geniuses who can’t be beaten.
To be precise, the ZIP file distributed by the spam campaign activates Powershell to download a Kovter payload delivering ransomware. The secondary payload is CoreBOT, a highly adaptive form of modular malware.
According to Heimdal’s Andrea Zaharia, the spam message looks something like this:
From: [spoofed / fake return address]
Subject Line: Payment for tax refund # 00 [6 random numbers]
Tax_Refund_00654767.zip -> Tax_Refund_00654767.doc.js
Heimdal analysis: Security Alert: Fileless Kovter Teams Up with Modular CoreBot Malware in IRS Spam Campaign
Commentary from David Bisson for Tripwire: Fake IRS Spam Email Campaign Serves Up Kovter, CoreBot Malware
Added to Ransomware Resources page.