Malware RSS Feed
At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware. During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples. After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants.
Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2.Why YARA training?
Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow. Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection. But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective. But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way. The rules can be deployed in networks and on various multi scanner systems.Giveaways
People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings. The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives. They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs.What are the requirements for participation?
You don’t have to be an expert in order to go through this training. It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine. Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it.Catching a 0-day with YARA
One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers.
GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names. All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”. Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately.If you’re a scholar…
Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on. If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly.
You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities.
Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!
Every year, the Chaos Communication Congress summons hackers from around the globe, this time again in Hamburg. The four days between Christmas and New year are packed with talks, workshops and events all over the location at the CCH. Large hackerspaces hosts groups and projects from all areas such as lock-picking, art, music, software projects of all kind and more. Tickets were strictly limited this year, so not all who wanted could come. However due to freely available live streams, free access to the video recordings and onsite resources such as Wiki and Communication channels, everyone at any location could join and be part of this event.
It is simply not possible to summarize this event in a few sentences or pointing out highlights without missing some. This also because of the wide range of areas the talks and projects are about. There were technical talks about vulnerabilities in a banking app and flight booking systems. An overview about the North Korean tablet “Woomlin” was given after last years insight into the “Red Star OS” from North Korea. One of the main topics of course is privacy. Others focus on current trends such as IoT Security, BigData and Blockchain. Full program can be found here.
Due to privacy of the attendees, taking photos is only allowed under strict rules. Therefore following impressions do not contain any pictures with people.
While intercepting traffic from a number of infected machines that showed signs of Remote Admin Tool malware known as HawkEye, we stumbled upon an interesting domain. It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods.WhiteHats on the prowl?
Before diving into an analysis of the server, it is worth pointing out some interesting behavior spotted in several of the victims’ stolen accounts. A group of WhiteHat hackers who call themselves Group Demóstenes were found to be working around the clock, trawling the internet and looking to exfiltrate stolen data from C2 servers. When such a server was found, the group looked for a backdoor that would give them control over the filesystem. They would then monitor the incoming, stolen data. Either manually or automatically, they would collect the stolen credentials and send emails to the victims’ accounts. These emails contained an attachment with proof that the user’s machine has been compromised. In addition, they advise the user to change passwords immediately and offer to help.
Our SERVERS detected information from a server on the US, we don’t even know goverment or another sourse …. we send a file with all your logins and passwords of all your accounts from hxxp://www.p******op[.]biz/*******
WE HAVE TESTING IN YOUR PAYPAL ACCOUNT. LOG IN TO YOUR ACCOUNT AND YOU WILL SEE TWO CANCELED BILLING (OUR JOB IS WHITE HAT NO HACK …. Steal)
Seme you verify this information. it’s better thing we hurt all change password on the other computer Because Called Computer
Name PC USER-PC
Local Time: 03.10.2016. 18:45:02
Installed Language: en-
Net Version: 2.0.50727.5485
Operating System Platform: Win32NT
Operating System Version: 6.1.7601.65536
Operating System: Microsoft Windows 7 Home Premium
Internal IP Address: 192.168.0.101
External IP Address:
Installed Anti virus: Avast Antivirus
have a keylogger harm report All That You write, messages, passwords or more.
¿Why we do it?
We have a Cause Called Group Demóstenes looking for Ciber attacks and false info.
Please Donate by PayPal at h**cg**an@gmail[.]com 5 USD or more, Because this is only our ingress.
PLEASE WRITE ME AT THIS MAIL FOR KNOW IF YOU KNOW ABOUT THIS
The email above appears in two languages, English and Spanish. The name of the group appears to be of Portuguese origin, though it is not certain.The shopfront: the command and control servers
Scanning for network services which are running on the C2, we discovered that it contains not only a back-end for storing stolen credentials but also a front-end for selling some of them, alongside many other “goods”.
Browsing the domain that communicated with the HawkEye RAT samples disclosed a login page. Given the fact that the server was newly operational, it allowed users to register an account and login to purchase the goods on offer.
After registering on the C2 web application, there was no sign of the stolen data transferred from compromised machines. A forum-like web page opens up once a successful login is being processed.
The C2 was meant to securely store the stolen data; however, it contained a crucial vulnerability which allowed researchers to download the stolen data.
The C2 owners seem to have added six new Shell scripts on 22 November, just a week before the research started – a further indication of how new the operation is.
Another item for sale is scam pages, and some are multilingual. The attackers also reveal the scope of their victims, noting those who are registered to Amazon, Apple, Netflix and even National Bank of Australia and Barclays. The listing of the year next to the banking information probably refers to how up-to-date the scam pages are in terms of the bank’s website updates.
The attackers have spared no details and have added additional information regarding how one should act when using their services, and who to contact in the Support tab.
To purchase goods in the private shop you must deposit money into your account on the website. The attackers accept Bitcoins, PerfectMoney and WebMoney.
As we described, HawkEye is a robust keylogger that can hijack keystrokes from any application being opened on the victim’s PC. It can also identify login events and record the destination, username and password. It is, however, limited to two-factor authentication and single sign-on.
Stolen credentials on the server were found to be holding sensitive access passwords to government, healthcare, banking and payment web applications. Among them is the following web server which belongs to the Pakistani government.
As mentioned, hundreds of machines were found to be compromised by just one C2. The following is a partial list of what was downloaded from the malicious server.
Usually, careless threat actors forget to remove test files which might contain sensitive data. In this case, we were able to obtain the attackers credentials from one very small file that was captured when searching related strings.Target geography
The research is still ongoing and is currently affecting users located in APAC, such as Japan, Thailand and India, as well as parts of Eastern Europe such as Russia and Ukraine.
Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.Clever little fakes
To date, we have seen two versions of the trojan:
- acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com
- 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi
The first version (com.baidu.com), disguises itself as a mobile client for the Chinese search engine Baidu, simply opening a URL http://m.baidu.com inside the application. The second version is a well-made fake version of a popular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi networks (including the security password) between users of the app. Such information is used, for example, by business travelers to connect to a public Wi-Fi network for which they don’t know the password. It is a good place to hide malware targeting routers, because users of such apps usually connect with many Wi-Fi networks, thus spreading the infection.
The cybercriminals even created a website (though badly made) to advertise and distribute the aforementioned fake version of com.snda.wifilocating. The web server that hosts the site is also used by the malware authors as the command-and-control (C&C) server.
The trojan performs the following actions:
- Gets the BSSID of the network and informs the C&C that the trojan is being activated in a network with this BSSID
- Tries to get the name of the ISP (Internet Service Provider) and uses that to determine which rogue DNS server will be used for DNS-hijacking. There are three possible DNS servers – 220.127.116.11, 18.104.22.168 and 22.214.171.124; with 126.96.36.199 being the default choice, while the others will be chosen only for specific ISPs
- Launches a brute-force attack with the following predefined dictionary of logins and passwords:
If the manipulation with DNS addresses was successful, the trojan report its success to the C&C
To appreciate the impact of such actions it is crucial to understand the basic principles of how DNS works. The DNS is used for resolving a human-readable name of the network resource (e.g. website) into an IP address that is used for actual communications in the computer network. For example, the name “google.com” will be resolved into IP address 188.8.131.52. In general, a normal DNS query is performed in the following way:
When using DNS-hijacking, the cybercriminals change the victim’s (which in our case is the router) TCP/IP settings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server. So, the scheme will change into this:
As you can see, instead of communicating with the real google.com, the victim will be fooled into communicating with a completely different network resource. This could be a fake google.com, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware. Or anything else. The attackers gain almost full control over the network traffic that uses the name-resolving system (which includes, for example, all web traffic).
You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS. So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router.
The cybercriminals were not cautious enough and left their internal infection statistics in the open part of the C&C website.
According to them, they successfully infiltrated 1,280 Wi-Fi networks. If this is true, traffic of all the users of these networks is susceptible to redirection.Conclusion
The Trojan.AndroidOS.Switcher does not attack users directly. Instead, it targets the entire network, exposing all its users to a wide range of attacks – from phishing to secondary infection. The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked. Even if the rogue DNS servers are disabled for some time, the secondary DNS which was set to 184.108.40.206 will be used, so users and/or IT will not be alerted.
We recommend that all users check their DNS settings and search for the following rogue DNS servers:
If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network. Kaspersky Lab also strongly advises users to change the default login and password to the admin web interface of your router to prevent such attacks in the future.
The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, causing denial of service across an entire region, has been extensively covered by the mass media. Given that the botnet’s source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future.
To put this in perspective, recall the year 2012, when the source code of the Zeus banker Trojan was made publicly available. A huge number of modifications of the Trojan appeared as a result of this, many of which are still active and rank among the most widespread financial malware. Similarly, the recent leak is likely to result in the emergence of Mirai modifications, created by cybercriminals and based on the source code that was made public.
The botnet remains active. We carried out an analysis of its activity to find out how Mirai operates, what objectives its owners are pursuing and, most importantly, what needs to be done to avoid becoming part of the botnet in the future.How Mirai Works
Based on the botnet’s source code that was published on a user forum, Mirai consists of the following components:
- a command-and-control center (C&C) that contains a MySQL database of all infected IoT devices (bots) and sends commands to intermediate command distribution servers;
- a Scan Receiver component that collects the results of each bot’s operation and forwards them to the component that downloads the bot onto vulnerable devices (the Distributor);
- a downloader component, which delivers the bot’s binary file to a vulnerable device (using the wget and tftp utilities – but if they are not present in the system, it uses its own proprietary downloader);
- a bot, which, after being launched on an infected device, connects to the command-and-control center, scans an IP range (SYN scanning) for vulnerable IoT devices and sends the scan results to the Scan Receiver component in order for further malicious code to be subsequently downloaded to the device.
An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist.
List of logins and passwords used by the original Mirai in its search for vulnerable IoT devices
However, this is by no means all the Mirai botnet can tell us about itself.Analysis of the Botnet’s Activity
All you need to do to evaluate the Mirai botnet’s current activity is to deploy a server with an open telnet port somewhere on the Internet and analyze connection attempts made by different bots. For example, we detected the first attempts to connect to our telnet port, by several different hosts, within three minutes of putting our experimental server online.
Two facts indicate that these connections are made by bots of the original Mirai or its modifications (i.e., by infected devices):
- the accounts used by the bots in their attempts to establish a connection are found on the original botnet’s brute force word list;
- an analysis of connection sources has shown that infected hosts that perform scanning are in most cases IoT devices (cameras and routers of different manufacturers).
Connection attempts by infected Mirai workstations in search of IoT devices using default passwords
Here is a list of login and password pairs most often used by Mirai bots in connection attempts:“Login:password” combinations 1 admin : admin 2 root : xc3511 3 root : vizxv 4 root : juantech 5 root : default 6 admin : admin1234 7 root : password 8 root : root 9 root : xmhdipc 10 admin : smcadmin
If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers.
Admin panel for managing an IP camera that is part of the botnet
As for the activity of the botnet itself, you can analyze the number of login attempts over 24 hours and see for yourself. On December 13, 2016 we recorded 5,553 attempts by Mirai bots to connect to our server, while 10 days before that, on December 3, 2016, we recorded 8,689 connection attempts. Does this mean that the botnet is losing power? Reduced activity related to searching for new potential bots might certainly be an indication that the rate at which Mirai is infecting new devices is falling, but it is too early to draw any conclusions.How to Avoid Becoming Part of the Mirai Botnet
We recommend the following measures to prevent your devices from being included in the Mirai botnet:
- Change the default account parameters on each of your devices. Account passwords should be at least 8 characters long and include digits, upper-case letters and special characters.
- On each device, install the latest updates provided by the manufacturer.
- It is a good idea to block all potential entry points to the operating system on your devices (telnet/SSH/web panel, etc.) from being accessed over the Internet.
More details about the Mirai botnet are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email firstname.lastname@example.org
Hacks in Taiwan Conference (HITCON) Pacific 2016 was held in Taipei city, Taiwan from the 27th of November to the 3rd of December this year. The concept of this event is about “The Fifth Domain: Cyber | Homeland Security”. This HITCON Pacific 2016 is more formal event than HITCON Community 2016 which we attended last summer..
More than 500 participants from around the world attended the event, which included technical trainings, security conference and capture the flag (CTF) competition. We met many high-skilled malware analysts, incident responders, security researchers and professionals at this event to discuss some of the most recent topics in the field of cybersecurity: Ransomware, ATM hacking, IoT security, machine leaning and targeted attacks. Based on our experience, this event is one of the brightest international security conferences in Asia-Pacific region. One of the organizers, Mr. Sung-ting Tsai, opened the conference with the following words: “HITCON is not only running community and technical topics, in HITCON Pacific we are also concerned about the strategic and operational issues. HITCON Pacific is providing an international platform to connect and collaborate with enterprises, governments, vendors and security experts, especially in Asia Pacific region.”
The conference has been recognized by the local government. One of the most honorable keynote speakers of this event was the president of Taiwan, Tsai Ing-wen (蔡英文). To our knowledge it’s the first time ever, a president of a country or region comes to do the opening speech at information security conference. Such special attention of the president reflects Taiwanese government concerns about improving cybersecurity in Taiwan and the whole Asia Pacific region. She said during her keynote speech: “The spirit of hacking culture is in stepping out of tradition and fighting against the present situation. Governmental organizations need such spirit to cultivate innovation”.
Two speakers from Global Research and Analysis Team (GReAT) of Kaspersky Lab also presented on the same stage: Vitaly Kamluk and Suguru Ishimaru (that’s me).
Vitaly talked about Yara techniques with some of the most remarkable stories, including finding 0-day exploits in Microsoft Silverlight. Surprisingly for the organizers and the audience Vitaly presented with 0 slides during his 40 minutes talk. All the contents he showed was Yara tool output in a terminal session, which looked like live demo but with nice ASCII art and dynamic transition effects. His presentation style was very innovative and widely discussed after his speech.
I attended Hitcon Community conference earlier this year and liked the conference so much that I decided to come again as a speaker. Needless to say it was challenging for me, because I have never presented on such large stage outside of Japan before. Also, I had to present in English, which is not my native language and isn’t my strongest skill.
I talked about malware discovered in targeted attacks which focused on Taiwan and Japan. My talk was titled “Why corrupted samples in recent APTs?”. The talk covered some of the new techniques that were used to prevent automated malware analysis, resulting in erroneous marking of the samples as corrupted. I showed a live demo of such samples, which would cause system exception on any system except the system of the victim.
We had a chance to attend many other rgreat talks by security researchers. Some of the talks we liked included: Ryan Olson from Palo Alto Networks, who talked about “Target Identification through Decoy File Analysis”, Takahiro Haruyama from Symantec who made a presentation about “Winnti Polymorphism”, Kyoung-Ju Kwak from Financial Security Institute, with his talk “Fly me to the BLACKMOON”, and Philippe Lin and Ricky Chou from Trendmicro, who talked about “Experience of Microsoft Malware Classification Challenge”. You can download the slides and agenda from official website of HITCON Pacific 2016.
In conclusion, HITCON Pacific 2016 was fantastic event and I definitely recommend it to all the people who would like to explore cybersecurity arena in Asia Pacific. The organizers kindly offered free simultaneous translation from/to Chinese which built a unique bridge between rather closed Chinese speaking security community and the rest of the world. For me personally this time was a very meditative thing: my first challenge of presenting at international conference in English, an honor of meeting the president and delivering a talk on the same stage.
Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data. In addition to that, this modification is attacking more than 2,000 financial apps around the world.
We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016. According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand.
Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player.Preparing the groundwork
The Trojan is capable of interacting with protection mechanisms in the operating system. For example, it requests rights to overlay other apps or the right to be a default SMS application. This allows Faketoken to steal user data even in the latest versions of Android.
Once the Trojan becomes active, it requests administrator rights. If the user denies the request, Faketoken repeatedly refreshes the window asking for these rights, which leaves the victim with little choice.
The Trojan imitating “Yandex.Navigator” to request administrator rights
Once it has received administrator rights, Faketoken starts requesting the necessary permissions: to access the user’s text messages, files and contacts, to send text messages and make calls. These requests will also be repeatedly displayed until the user agrees to provide access.
The Trojan then requests the right to display its windows on top of other applications. This is necessary to block the device and steal user data by displaying phishing pages.
The Trojan requesting the right to display its windows on top of other applications
The final request at the preparatory stage is for the right to be the default SMS application – this allows Faketoken to covertly steal text messages on the latest versions of Android. The Trojan integrates the options necessary for the user to work with SMS. However, on some Android devices and versions when the user attempts to send an SMS via Faketoken it returns an error. As a result, the user cannot send SMS messages until they manually change the SMS application. The Trojan doesn’t like that, and will start requesting the right again.
Manipulations with application shortcuts can also be added to the preparatory stage. After launching, Faketoken starts downloading an archive containing file icons of several applications (the version being analyzed here has eight) related to social networks, instant messengers and browsers. Then it tries to delete the previous shortcuts to these applications and create new ones.
On the test devices the Trojan failed to remove the previous shortcuts which eventually led to the appearance of duplicates
It is not clear why it does this because the shortcuts created by Faketoken lead to the original applications.Data theft
Once the shortcuts are installed, the next stage of the Trojan’s work begins – the theft of user data. Faketoken downloads a database from the server containing phrases in 77 languages for different device localizations.
Screenshot of the database with phrases in different languages
Using these or other phrases from the database, depending on the operating system language, the Trojan will show the user various phishing messages.
Examples of phishing messages displayed by the Trojan
If the user clicks on the message, the Trojan opens a phishing page designed to steal passwords from Gmail accounts. In addition to that, the Trojan overlays the original Gmail application with this page for the same purpose – to steal the password.
Phishing page imitating the login page of the Gmail mail service
However, the Trojan doesn’t limit itself to Gmail. Like most modern mobile Trojans, Faketoken overlays the original Google Play app with its phishing window to steal the victim’s bank card details.
Phishing page used by the Trojan to steal credit card details
The Trojan can also get the list of applications for attack and an HTML template page to generate phishing pages for the attacked applications from the C&C server. In our case, Faketoken received a list of 2,249 financial applications from around the world.
Example of the Trojan’s phishing pages designed for different applications
It should be noted that the Trojan integrates functionality enabling it to call some of the methods from the HTML page it received from the C&C server. As a result, in addition to the phishing functionality, the pages described above can get certain information about the device including the address of the Gmail account and, even worse, reset the device to factory settings.
What’s more, Faketoken can perform the following actions upon command from the C&C server:
- Change masks to intercept incoming text messages;
- Send text messages to a specified number with a specified text;
- Send text messages with a specified text to a specified list of recipients;
- Send a specified text message to all contacts;
- Upload all text messages from the device to the malicious server;
- Upload all the contacts from the device to the malicious server;
- Upload the list of installed applications to the malicious server;
- Reset the device to factory settings;
- Make a call to a specified number;
- Download a file to the device following a specified link;
- Remove specified applications;
- Create a notification on the phone to open a specified page or run a specified application;
- Start overlaying specified applications with a specified phishing window;
- Open a specified link in its own window;
- Run an application;
- Block the device in order to extort money for unblocking it. This command may include an option indicating the need to encrypt files.
As mentioned above, the ransomware functionality in mobile banking Trojans is now commonplace, after being pioneered by Svpeng in early 2014. However, the new Faketoken version can not only extort money by blocking the screen but also by encrypting user files.
Screenshot of the Trojan code that renames and then encrypts files.
Once the relevant command is received, the Trojan compiles a list of files located on the device (external memory, memory card) corresponding to the given list of 89 extensions and encrypts them. The AES symmetric encryption algorithm is used, which leaves the user with a chance of decrypting files without paying a ransom. The Trojan receives the encryption key and the initialization vector from the C&C server. The encrypted files include both media files (pictures, music, videos) and documents. The Trojan changes the extension of the encrypted files to .cat.
In conclusion, we would like to note that file encryption is not that popular with the developers of mobile ransomware (at least currently), which may be because most files stored on a mobile device are copied to the cloud. In other words, demanding a ransom in return for decrypting them is pointless.
If they were asked to sum up 2016 in a single word, many people around the world – particularly those in Europe and the US – might choose the word ‘unpredictable’. On the face of it, the same could apply to cyberthreats in 2016: the massive botnets of connected devices that paralysed much of the Internet in October; the relentless hacking of high profile websites and data dumps; the SWIFT-enabled bank heists that stole billions of dollars, and more. However, many of these incidents had been in fact been predicted, sometimes years ago, by the IT security industry, and the best word for them is probably ‘inevitable’.
For cyberthreats, 2016 was the year when “sooner or later” became “now” #KLReportTweet
Most of all, in 2016, ransomware continued its relentless march across the world – with more new malware families, more modifications, more attacks and more victims. However, there are rays of hope, including the new, collaborative No More Ransom initiative. Kaspersky Lab has designated the revolution in ransomware its Story of the Year for 2016 and you can read more about its evolution and impact here.
Elsewhere on the cybersecurity landscape, targeted cyberespionage attacks, financial theft, ‘hacktivism’ and vulnerable networks of connected devices all played their part in what has been a tense and turbulent year.
It also considers what these threats mean to organisations trying spot a breach or cyberattack. How ready are businesses to proactively prevent and mitigate a cyberthreat? What can be done to help them?Six things we learned this year that we didn’t know before 1. That the underground economy is more sophisticated and bigger than ever: xDedic – the shady marketplace
In May, we uncovered a large, active cybercriminal trading platform, called xDedic. xDedic listed and facilitated the buying and selling of hacked server credentials. Around 70,000 compromised servers were on offer – although later evidence suggests that there could have been as many as 176,000 – located in organisations around the world. In most cases, the legitimate owners had no idea that one of their servers, humming away in a back room or data center, had been hijacked and was being passed from criminal to criminal.
xDedic is not the first underground marketplace, but it is evidence of the growing complexity and sophistication of the black market economic ecosystem.
“xDedic is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors.”
GReAT2. That the biggest financial heist did not involve a stock exchange: the SWIFT-enabled transfers
One of the most serious attacks in 2016 was that using the inter-bank network, SWIFT (Society for Worldwide Interbank Financial Telecommunication). In February 2016, hackers used the SWIFT credentials of Bangladesh Central Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking it to transfer millions of dollars to various bank accounts in Asia. The hackers were able to get $81 million transferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million to Pan Asia Banking. The campaign was cut short when the bank spotted a typo in one of the transfer requests. You can read the story here. In the following months, further bank attacks using SWIFT credentials came to light.
Following the theft of $100 million many banks were forced to improve their authentication and SWIFT software update procedures #KLReportTweet 3. That critical infrastructure is worryingly vulnerable: the BlackEnergy attacks
BlackEnergy deserves a place in this list even though, strictly speaking, it took place at the end of 2015. However, it was only in early 2016 that the full effect of the BlackEnergy cyber-attack on the Ukrainian energy sector became clear. The attack was unique in terms of the damage it caused. This included disabling the power distribution system in Western Ukraine, wiping software on targeted systems and unleashing a Distributed Denial of Service (DDoS) attack on the technical support services of affected companies. Kaspersky Lab has supported the investigation into BlackEnergy since 2010, with among other things, an analysis of the tool used to penetrate the target systems. You can find our 2016 report here.
The BlackEnergy cyberattack on the Ukrainian energy sector revealed the vulnerability of critical infrastructures worldwide #KLReportTweet
To help organizations working with industrial control systems (ICS) to identify possible points of weakness, Kaspersky Lab experts have conducted an investigation into ICS threats. Their findings are published in the Industrial Control Systems Threat Landscape report.4. That a targeted attack can have no pattern: the ProjectSauron APT
In 2016 we discovered the ProjectSauron APT: a likely nation-state backed cyberespionage group that has been stealing confidential data from organisations in Russia, Iran and Rwanda – and probably other countries – since June 2011. Our analysis uncovered some remarkable features: for example, the group adopted innovative techniques from other major APTs, improving on their tactics in order to remain undiscovered. Most importantly of all: tools are customized for each given target, reducing their value as Indicators of Compromise (IoCs) for any other victim. An overview of the methods available to deal with such a complex threat can be found here.
ProjectSauron’s pattern-less spying platform has far-reaching implications for some basic principles of threat detection #KLReportTweet 5. That the online release of vast volumes of data can be an influential tactic: ShadowBrokers and other data dumps
2016 saw a number of remarkable online data dumps. The most famous is probably that by a group calling itself the ShadowBrokers. On August 13, they appeared online claiming to possess files belonging to the ultimate APT predator, the Equation Group. Our research suggests there are similarities between the data dumped by ShadowBrokers and that used by the Equation Group. The initial data dump included a number of unreported zero-days, and there have been further dumps in recent months. The long-term impact of all this activity is unknown, but is has already revealed the huge and rather worrying influence such data dumps can potentially have on public opinion and debate.
In 2016 we also witnessed data breaches at beautifulpeople.com, Tumblr, the nulled.io hacker forum, Kiddicare, VK.com, Sage, the official forum of DotA 2, Yahoo, Brazzers, Weebly and Tesco Bank – for motives ranging from financial gain to personal reputation blackmail.
A LinkedIn hack made public in 2016 revealed over a million uses of the password ‘123456’. #KLReportTweet 6. That a camera could be part of a global cyber-army: the insecure Internet of Things
Connected devices and systems, from homes and vehicles to hospitals and smart cities, exist to make our lives safer and easier. However, many were designed and manufactured without much thought for security – and sold to people who underestimated the need to protect them with more than default factory security settings.
The risk of connecting everything without proper safeguards – after 2016, need we say more? #KLReportTweet
As the world now knows, all these millions of insecure connected devices represent a powerful temptation to cybercriminals. In October, attackers used a botnet of over half a million internet-connected home devices to launch a DDoS attack against Dyn – a company that provides DNS services to Twitter, Amazon, PayPal, Netflix and others. The world was shocked, but warnings about unstable IoT security have been around for a long time.
For example, in February, we showed how easy it was to find a hospital, gain access to its internal network and take control of an MRI device – locating personal data about patients and their treatment procedures and obtaining access to the MRI device file system. In April, we published the results of our research into, among other things, the vulnerability of city traffic sensors and smart ticket terminals.
Manufacturers need to work with the security industry to implement ‘security-by-design’ #KLReportTweet Other top threats Inventive APTs
At least 33 countries were targeted by APTs reported on by Kaspersky Lab #KLReportTweet
In February, we reported on Operation Blockbuster, a joint investigation by several major IT security companies into the activities of the Lazarus gang, a highly malicious entity responsible for data destruction.
The Lazarus group is believed to have been behind the attack on Sony Pictures Entertainment in 2014 #KLReportTweet
Adwind, is a cross-platform, multi-functional RAT (Remote Access Tool) distributed openly as a paid service, where the customer pays a fee in return for use of the malicious software. It holds the dubious distinction of being one of the biggest malware platforms currently in existence, with around 1,800 customers in the system by the end of 2015.
Adwind’s malware-for-rent had a customer base of 1,800 #KLReportTweet
APTs everywhere continued to make the most of the fact that not everyone promptly installs new software updates – in May we reported that at least six different groups across the Asia-Pacific and Far East regions, including the newly discovered Danti and SVCMONDR groups, were exploiting the CVE-2015-2545 vulnerability. This flaw enables an attacker to execute arbitrary code using a specially-crafted EPS image file. A patch for the vulnerability was issued back in 2015.
Over six APT groups used the same vulnerability – patched back in 2015 #KLReportTweet New zero-days
Zero-days remained a top prize for many targeted attackers.
In June, we reported on a cyber-espionage campaign launched by a group named ScarCruft and code-named Operation Daybreak, which was using a previously unknown Adobe Flash Player exploit (CVE-2016-1010). Then in September we discovered a Windows zero-day, CVE-2016-3393, being used by a threat actor known as FruityArmor to mount targeted attacks.
In all, new Kaspersky Lab technologies designed to identify and block such vulnerabilities helped us to uncover four zero-days in 2016. The other two are an Adobe Flash vulnerability CVE-2016-4171 and a Windows EoP (Escalation of Privilege) exploit CVE-2016-0165 .The hunt for financial gain
Tricking people into either disclosing personal information or installing malware that then seizes the details for their online bank account remained a popular and successful option for cyber-thieves in 2016. Kaspersky Lab solutions blocked attempts to launch such malware on 2,871,965 devices. The share of attacks targeting Android devices increased more than four-fold.
A third of banking malware attacks now target Android devices #KLReportTweet
Some APT groups were also more interested in financial gain than cyberespionage. For example, the group behind Metel infiltrated the corporate network of banks in order to automate the roll-back of ATM transactions: gang members could then use debit cards to repeatedly steal money from ATMs without ever affecting the balance on the card. At the end of 2016 this group remains active.
Metel launched targeted attacks on banks – then sent teams to ATMs at night to withdraw the cash #KLReportTweet
In June, Kaspersky Lab supported the Russian police in their investigation into the Lurk gang. The collaboration resulted in the arrest of 50 suspects allegedly involved in creating networks of infected computers and the theft of more than 45 million dollars from local banks, other financial institutions and commercial organizations.
During the investigation, researchers spotted that users attacked by Lurk had the remote administration software Ammyy Admin installed on their computers. This led to the discovery that that the official Ammyy Admin website had most probably been compromised, with the Trojan was downloaded to users’ computers along with the legitimate Ammyy Admin software.
The takedown of the Lurk gang was the largest ever arrest of hackers in Russia #KLReportTweet The ultimate vulnerability: people
2016 also revealed that targeted attack campaigns don’t always need to be technically advanced in order to be successful. Human beings – from hapless employees to malicious insiders – often remained the easiest access route for attackers and their tools.
In July, we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using high quality social engineering combined with old exploit code and some PowerShell-based malware, the group was able to successfully steal sensitive data from high-profile diplomatic and economic organisations linked to China’s foreign relations.
Dropping Elephant and Operation Ghoul confirmed the fearsome power of high quality social engineering #KLReportTweet
Further, Operation Ghoul sent spear-phishing e-mails that appeared to come from a bank in the UAE to top and middle level managers of numerous companies. The messages claimed to offer payment advice from the bank and attached a look-like SWIFT document containing malware.
“Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, recruiting disaffected employees through underground channels or blackmailing staff using compromising information gathered from open sources.” Threat Intelligence Report for the Telecommunications IndustryMobile advertising
The main mobile threats in 2016 were advertising Trojans able to obtain ‘root’ or superuser rights on an infected Android device – a level of access that allowed them to do pretty much whatever they wanted. This included hiding in the system folder, thereby making themselves almost impossible to delete, and silently installing and launching different apps that aggressively display advertising. They can even buy new apps from Google Play.
22 of the 30 most popular Trojans in 2016 are advertising Trojans – twice as many as in 2015 #KLReportTweet
Many such Trojans were distributed through the Google Play Store: some of them were installed more than 100,000 times, and one – an infected Pokemon GO Guide app was installed more than 500,000 times.
Malware distributed through Google Play was downloaded hundreds of thousands of times #KLReportTweet
One Android Trojan installed and even updated as a ‘clean’ (malware-free) app before hitting targets with an infected version. Others, including Svpeng, used the Google AdSense advertising network for distribution
Further, some Trojans found new ways to bypass Android security features – in particular the screen overlays and the need to request permission before opening a new app – forcing the user to sign over the access rights the Trojan was looking for.
Mobile ransomware also evolved to make use of overlays, blocking rather than encrypting data since this is generally backed-up.
To read more on these stories, please download the full annual Review for 2016 here.
For an in-depth look at the Statistics for 2016, please register to download the Statistics report here.
The Kaspersky Security Bulletin 2016 highlights the rise of complex and damaging cybersecurity threats, many of which have a far-reaching impact on businesses. This impact is also reflected in our Corporate IT Security Risks Reports (1, 2) based on a 2016 survey of more than 4000 businesses worldwide.
Among other things, the survey asked companies about the most crucial metric of incident detection and response: time.Incident detection time is critical
Previously unreleased findings from the research show that the typical time required to detect an IT Security event is several days – 28.7% of companies said it took them that long to detect a security breach on average.
Time required to detect an IT security event
Only 8.2% of businesses managed to detect security breaches almost instantly, and for 19.1% of businesses it took several weeks to detect a serious security event. When we asked how they eventually detected a long-standing breach, the replies were revealing.Going beyond prevention
Average time frame required to detect a security event, across all security events
within the last 12 months
In this chart we combine the average time to discover a security event with the responses we received on how businesses detected a breach. Apparently, businesses that struggle to detect a breach quickly, eventually spot them through one or more of the following: an external or internal security audit, or, sadly, notification from a third party.
It turns out that for these businesses a security audit of any kind is the best measure of ‘last resort’ to finally bring it to light. But should it be only a last resort?
This is where our report detects an obvious discrepancy between theory and practice. Although 65% of businesses admit that a security audit is an effective security measure, less than half of the companies surveyed (48%) have conducted such audit in the last 12 months. Further, 52% of companies operate under the assumption that their IT security will inevitably be compromised at some point, although 48% are not ready to accept this. In short: many businesses find a structured detection and response strategy difficult to embrace.The cost of delay
It is safe to assume that the longer it takes to detect a security breach, the higher the mitigation costs and the greater the potential damage. The results reveal the shocking truth that failure to discover an attack within a few days, results in a doubling, or more of the costs.
Cost of recovery vs. time needed to discover a security breach for enterprises
For enterprises, an attack undiscovered for a week or more costs 2.77 times that of a breach detected almost instantly. SMBs end up paying 3.8 times more to recover from an incident detected too late.
It is clear that better detection significantly reduces business costs. But the implementation of incident detection and response strategies is quite different from ensuring proper prevention. The latter provides a choice of well-established corporate solutions. The former requires security intelligence, a deep knowledge of the threat landscape, and security talent capable of applying that expertise to the unique specifics of a company. According to our special Corporate IT Security Risks report, businesses that struggle to attract security experts end up paying twice as much for their recovery after an incident.Kaspersky Lab’s solution: turning intelligence into protection
In 2016 Kaspersky Lab significantly expanded its portfolio with products like Kaspersky Anti-Targeted Attack Platform and security services like Penetration Testing and Threat Data Feeds, all to help meet customer needs for better detection and response. Our plan is to offer security intelligence via any means necessary: with a technology to detect targeted threats, a service to analyze and respond to a security event, and intelligence that helps investigate an issue properly.
We appreciate that, for many businesses, going beyond prevention is a challenge. But even a single targeted attack that is detected early and mitigated rapidly is worth the investment – and increases the chances that the next assault on the corporate infrastructure is prevented outright.
On 28 October, the cryptocurrency world saw the emergence of a new player, the Zcash (ZEC) cryptocurrency. Its developers have described it rather figuratively: “If Bitcoin is like HTTP for money, Zcash is HTTPS.” They continue by noting that “unlike Bitcoin, Zcash transactions can be shielded to hide the sender, the recipient and value of all transactions.”
The cryptocurrency market has been looking for this level of anonymity for a while now, so ZEC has attracted considerable interest from investors, miners and cybercriminals alike. Several major cryptocurrency exchanges were quick to offer support for the new currency.
Zcash got off to a flying start; within the first few hours, 1 ZEC reached $30,000. It should be pointed out, however, that there were only a few dozen coins in existence at that time, so the actual turnover was very low.
In the following days, ZEC’s value steadily declined against Bitcoin. At the time of writing, it had leveled out temporarily at 0.07 – 0.01 ZEC/BTC (around $70). Despite this dramatic drop from the initial values (which was anticipated), Zcash mining remains among the most profitable compared to other cryptocurrencies.
Ranking of cryptocurrency mining profitability, as reported by the CoinWarz website
This has led to the revival of a particular type of cybercriminal activity – the creation of botnets for mining. A few years ago, botnets were created for bitcoin mining, but the business all but died out after it became only marginally profitable.
In November, we recorded several incidents where Zcash mining software was installed on users’ computers without permission. Because these software programs are not malicious in themselves, most anti-malware programs do not react to them, or detect them as potentially unwanted programs (PUP). Kaspersky Lab products detect them as not-a-virus:RiskTool.Win64.BitCoinMiner.
Cybercriminals use rather conventional ways to distribute mining software – they are installed under the guise of other legitimate programs, such as pirated software distributed via torrents. So far, we have not seen any cases of mass-mailings or vulnerabilities in websites being exploited to distribute mining software; however, provided mining remains as profitable as it is now, this is only a matter of time. The software can also be installed on computers that were infected earlier and became part of a for-rent botnet.
The most popular mining software to date is nheqminer from the mining pool Micemash. It has two known variations: one earns payments in bitcoins, the other in Zcash. Both are detected by Kaspersky Lab products, with the respective verdicts not-a-virus:RiskTool.Win64.BitCoinMiner.bez and not-a-virus:RiskTool.Win64.BitCoinMiner.bfa.
All that cybercriminals need to do to start profiting from a mining program on infected computers is to launch it and provide details of their own bitcoin or Zcash wallets. After that, the “coin mining” profit created by the pool will be credited to the cybercriminals’ addresses, from where it can be withdrawn and exchanged for US dollars or other cryptocurrencies. This is what allows us to ‘snoop’ on some of the wallets used by cybercriminals. Here’s just one example:
Using a wallet’s address, we can find out how much money arrived and from which source (i.e. the mining pool) (https://explorer.zcha.in/accounts/t1eVeeBYfPPLgonvi1zk8e9SnrhZdoCBAeM)
We see that the address was created on 31 October, just a couple of days after Zcash launched, and payments are still being made to it at the current time. You may be wondering what happened to the promised anonymity. Actually, there are two types of wallets in Zcash: completely private purses (z-address) and public wallets like that shown above (t-address). At the current time, the completely private wallets are not very popular (they are not supported by exchanges), and are only used to store around 1% of all existing Zcash coins.
We found approximately 1,000 unique users who have some version of the Zcash miner installed on their computers under a different name, which suggests these computers were infected without their owners’ knowledge. An average computer can mine about 20 hashes per second; a thousand infected computers can mine about 20,000 hashes a second. At current prices, that equals about $6,200 a month, or $75,000 a year in net profits.
Here are just a few real-life examples of the names used by these program and where they are installed on infected computers:
C:\Program Files\Common Files\nheqminer64.exe
As you can see, the names of many mining programs coincide with those of legitimate applications, but the installation location is different. For instance, the legitimate Windows Task Manager app (taskmngr.exe) should be located in the system folder C:\Windows\System32 and not in C:\system.
To ensure that the mining program is launched each time the operating system starts, the necessary records are added either to Task Scheduler or to the registry auto-run keys. Here are some examples of these records:
Task Scheduler\Microsoft\Windows Defender\Mine
A couple of detected websites distributing mining programs:
Additional DLLs are required for the mining program to work. These DLLs, shown below, are installed along with the mining program.
So, what are the threats facing a user who is unaware that their computer is being used for cryptocurrency mining?
Firstly, these operations are power hungry: the computer uses up a lot more electricity, which, in some countries, could mean the user ends up with a hefty electricity bill.
Secondly, a mining program typically devours up to 90% of the system’s RAM, which dramatically slows down both the operating system and other applications running on the computer. Not exactly what you want from your computer.
To prevent the installation of mining programs, Kaspersky Lab users should check their security products and make sure detection of unwanted software is enabled.
All other users are encouraged, at the very least, to check their folders and registry keys for suspicious files and records.
In 2016, ransomware continued its rampage across the world, tightening its hold on data and devices, and on individuals and businesses.
- 62 new ransomware families made their appearance.
- There was an 11-fold increase in the number of ransomware modifications: from 2,900 new modifications in January/March, to 32,091 in July/September.
- Attacks on business increased three-fold between January and the end of September: the difference between an attack every 2 minutes and one every 40 seconds.
- For individuals the rate of increase went from every 20 seconds to every 10 seconds.
- One in five small and medium-sized business who paid the ransom never got their data back.
2016 also saw ransomware grow in sophistication and diversity, for example: changing tack if it encountered financial software, written in scripting languages, exploiting new infection paths, becoming more targeted, and offering turn-key ransomware-as-a-service solutions to those with fewer skills, resources or time – all through a growing and increasingly efficient underground ecosystem.
At the same time, 2016 saw the world begin to unite to fight back:
The No More Ransom project was launched in July, bringing togetheal Police, Europol, Intel Security and Kaspersky Lab. A further 13 organizations joined in October. Among other things, the collaboration has resulted in a number of free online decryption tools that have so far helped thousands of ransomware victims to recover their data.
This is just the tip of the iceberg – much remains to be done. Together we can achieve far more than any of us can on our own.
What is ransomware?
Ransomware comes in two forms. The most common form of ransomware is the cryptor. These programs encrypt data on the victim’s device and demand money in return for a promise to restore the data. Blockers, by contrast, don’t affect the data stored on the device. Instead, they prevent the victim from accessing the device. The ransom demand, displayed across the screen, typically masquerades as a notice from a law enforcement agency, reporting that the victim has accessed illegal web content and indicating that they must pay a spot-fine. You can find an overview of both forms of ransomware here.Ransomware: the main trends & discoveries of 2016
“Most ransomware thrives on an unlikely relationship of trust between the victim and their attacker: that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise.”
GReAT, Threat Predictions for 2017
Cerber and Locky arrived in the early Spring. Both are nasty, virulent strains of ransomware that are propagated widely, mainly through spam attachments and exploit kits. They rapidly established themselves as ‘major players’, targeting individuals and corporates. Not far behind them was CryptXXX. All three families continue to evolve and to hold the world to ransom alongside well-established incumbents such as CTB-Locker, CryptoWall and Shade.
Locky ransomware has so far been spread across 114 countries #KLReportTweet
As of October 2016, the top ransomware families detected by Kaspersky Lab products look like this:Name Verdicts* percentage of users** 1 CTB-Locker Trojan-Ransom.Win32.Onion /
Trojan-Ransom.NSIS.Onion 25.32 2 Locky Trojan-Ransom.Win32.Locky /
Trojan-Dropper.JS.Locky 7.07 3 TeslaCrypt (active till May 2016) Trojan-Ransom.Win32.Bitman 6.54 4 Scatter Trojan-Ransom.Win32.Scatter /
Trojan-Dropper.JS.Scatter 2.85 5 Cryakl Trojan-Ransom.Win32.Cryakl 2.79 6 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.36 7 Shade Trojan-Ransom.Win32.Shade 1.73 8 (generic verdict) Trojan-Ransom.Win32.Snocry 1.26 9 Crysis Trojan-Ransom.Win32.Crusis 1.15 10 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.90
* These statistics are based on the detection verdicts returned by Kaspersky Lab products, received from usersof Kaspersky Lab products who have consented to provide their statistical data.
** Percentage of users targeted by a certain crypto-ransomware family relative to all users targeted with crypto-ransomware.
Probably the biggest surprise of 2016 was the shutdown of TeslaCrypt and the subsequent release of the master key, apparently by the malware actors themselves.
TeslaCrypt “committed suicide” – while the police shut down Encryptor RaaS and Wildfire #KLReportTweet
Encryptor RaaS, one of the first Trojans to offer a Ransomware-as-a-Service model to other criminals shut up shop after part of its botnet was taken down by the police.
Then, in July, approximately 3,500 keys for the Chimera ransomware were publicly released by someone claiming to be behind the Petya/Mischa ransomware. However, since Petya used some of the Chimera source code for its own ransomware, it could in fact be the same group, simply updating its product suite and causing mischief.
Similarly, Wildfire, whose servers were seized and a decryption key developed following a combined effort by Kaspersky Lab, Intel Security and the Dutch Police, now appears to have re-emerged as Hades.Abuse of ‘educational’ ransomware
Well-intentioned researchers developed ‘educational’ ransomware to give system administrators a tool to simulate a ransomware attack and test their defenses. Criminals were quick to seize upon these tools for their own malicious purposes.
Ransomware developed for ‘education’ gave rise to Ded Cryptor and Fantom, among others #KLReportTweet
The developer of the educational ransomware Hidden Tear & EDA2 helpfully posted the source code on GitHub. Inevitably, 2016 saw the appearance of numerous malicious Trojans based on this code. This included Ded Cryptor, which changed the wallpaper on a victim computer to a picture of an evil-looking Santa Claus, and demanded a massive two Bitcoins (around $1,300) as a ransom. Another such program was Fantom, which simulated a genuine-looking Windows update screen.Unconventional approaches
Why bother with a file when you can have the disk?
New approaches to ransomware attacks that were seen for the first time in 2016 included disk encryption, where attackers block access to, or encrypt, all the files at once. Petya is an example of this, scrambling the master index of a user’s hard drive and making a reboot impossible. Another Trojan, Dcryptor, also known as Mamba, went one step further, locking down the entire hard drive. This ransomware is particularly unpleasant, scrambling every disk sector including the operating system, apps, shared files and all personal data – using a copy of the open source DiskCryptor software.
Attackers are now targeting back-ups and hard drives – and brute-forcing passwords #KLReportTweet
The ‘manual’ infection technique
Dcrypter’s infection is carried out manually, with the attackers brute-forcing passwords for remote access to a victim machine. Although not new, this approach has become significantly more prominent in 2016, often as a way to target servers and gain entry into a corporate system.
If the attack succeeds, the Trojan installs and encrypts the files on the server and possibly even on all the network shares accessible from it. We discovered TeamXRat taking this approach to spread its ransomware on Brazilian servers.
In August we discovered a sample of Shade that had unexpected functionality: if an infected computer turned out to belong to financial services, it would instead download and install a piece of spyware, possibly with the longer term aim of stealing money.
Shade downloaded spyware if it found financial software #KLReportTweet
Another trend that attracted our attention in 2016 was the growing number of cryptors written in scripting languages. In the third quarter alone, we came across several new families written in Python, including HolyCrypt and CryPy, as well as Stampado written in AutoIt, the automation language.A long line of amateurs and copycats
Many of the new ransomware Trojans detected in 2016 turned out to be of low-quality; unsophisticated, with software flaws and sloppy errors in the ransom notes.
Poor quality ransomware increases likelihood of data being lost forever #KLReportTweet
This was accompanied by a rise in copycat ransomware. Among other things, we spotted that:
- Bart copies the ransom note & the style of Locky’s payment page.
- An Autoit-based copycat of Locky (dubbed AutoLocky) uses the same extension “.locky”.
- Crusis (aka Crysis) copies the extension “.xtbl” originally used by Shade.
- Xorist copies the whole naming scheme of the files encrypted by Crusis.
These trends are all expected to increase in 2017.
“As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise. We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return.”
GReAT, Threat Predictions for 2017The thriving ransomware economy
While Ransomware-as-a-Service is not a new trend, in 2016 this propagation model continued to develop, with ever more ransomware creators offering their malicious product ‘on demand’. This approach has proved immensely appealing to criminals who lack the skills, resources or inclination to develop their own.
Ransomware is increasingly for hire on the criminal underground #KLReportTweet
This business model is increasingly sophisticated:
The Petya ransomware partner site
The partner often signs up to a traditional commission-based arrangement. For example, the “payment table” for Petya ransomware shows that if a partner makes 125 Bitcoins a week thy will walk away with 106.25 Bitcoins after commission.
Petya payment table
There is also an initial usage fee. Someone looking to use the Stompado ransomware, for example, needs to come up with just $39.
With other criminals offering their services in spam distribution, ransomware notes etc. it’s not difficult for an aspiring attacker to get started.From commission-based networks to customer support and branding
The most ‘professional’ attackers offered their victims a help desk and technical support, guiding them through the process of buying Bitcoins to pay the ransom, and sometimes even being open to negotiation. Every step further encouraged the victim to pay.
Criminals offer customer support to ensure more victims pay #KLReportTweet
Further, Kaspersky Lab experts studying ransomware in Brazil noticed that for many attacks, branding the ransomware was a matter of some importance. Those looking for media attention and customer fear would opt for a high profile, celebrity theme or gimmick – while those more concerned about staying under the radar would forgo the temptation of fame and leave their victims facing just an e-mail for contacting the bad guys and a Bitcoin address to pay into.It’s still all about the Bitcoins
Throughout 2016, the most popular ransomware families still favored payment in Bitcoins. Most ransomware demands were not excessive, averaging at around $300, although some were charged – and paid – a great deal more.
Others, particularly regional and hand-crafted operations, often preferred a local payment option – although this also meant that they were no longer able to hide in plain sight and blend in with the rest of the ransomware noise.Ransomware turned its weapons on business
In the first three months of 2016, 17% of ransomware attacks targeted corporates – this equates to an attack hitting a business somewhere in the world every two minutes1. By the end of Q3 this had increased to 23.9% – an attack every 40 seconds.
A business is attacked with ransomware every 40 seconds #KLReportTweet
According to Kaspersky Lab research, in 2016, one in every five businesses worldwide suffered an IT security incident as a result of a ransomware attack.
- 42% of small and medium-sized businesses were hit by ransomware in the last 12 months.
- 32% of them paid the ransom.
- One in five never got their files back, even after paying.
- 67% of those affected by ransomware lost part or all of their corporate data – and one- in-four spent several weeks trying to restore access.
One in five SMBs never gets their data back, even after paying #KLReportTweet
Social engineering and human error remain key factors in corporate vulnerability. One in five cases involving significant data loss came about through employee carelessness or lack of awareness.
“We are seeing more targeted ransomware, where criminal groups carefully hand-pick and spear-phish their targets because of the data they possess and/or their reliance on the availability of this valuable data.”
John Fokker, Digital team Coordinator with the Dutch National High Tech Crime unit
Some industry sectors are harder hit than others, but our research shows that all are at risk
There is no such thing as a low-risk sector anymore #KLReportTweet Industry sector % attacked with ransomware 1 Education 23 2 IT/Telecoms 22 3 Entertainment/Media 21 4 Financial Services 21 5 Construction 19 6 Government/
public sector/defence 18 7 Manufacturing 18 8 Transport 17 9 Healthcare 16 10 Retail/wholesale/leisure 16 Ransomware attacks that made the headlines
Hospitals became a prime target – with potentially devastating impact as operations were cancelled, patients diverted to other hospitals and more.
- The most notorious example of a ransomware attack took place in March when criminals locked down the computers of the Hollywood Presbyterian Medical Center in Los Angeles, until the hospital paid $17,000.
- Within weeks, a number of hospitals in Germany were also hit.
- In the UK, 28 National Health Service trusts admit to being attacked in 2016.
Hosted desktop and cloud provider VESK paid nearly $23,000 dollars in ransom to recover access to one of its systems following an attack in September.
Leading media, including the New York Times, the BBC and AOL were hit by malware carrying ransomware in March 2016.
A small police station in Massachusetts, ended paying a $500 ransom (via Bitcoin) in order to retrieve essential case-related data, after an officer opened a poisonous email attachment.
Even motor racing was hit: a leading NASCAR racing team faced losing data worth millions to a TeslaCrypt attack in April.
The latest versions of Kaspersky Lab products for smaller companies have been enhanced with anti-cryptomalware functionality. In addition, a new, free anti-ransomware tool has been made available for all businesses to download and use, regardless of the security solution they use.
A new free, AV-independent anti-ransomware tool is available #KLReportTweet
Kaspersky Lab’s Anti-Ransomware Tool for Business is a ‘light’ solution that can function in parallel with other antivirus software. The tool uses two components needed for the early detection of Trojans: the distributed Kaspersky Security Network and System Watcher, which monitors applications’ activity.
Kaspersky Security Network quickly checks the reputation of files and website URLs through the cloud, and System Watcher monitors the behavior of programs, and provides proactive protection from yet-unknown versions of Trojans. Most importantly, the tool can back up files opened by suspicious applications and roll back the changes if the actions taken by programs prove malicious.Through collaboration: The No More Ransom Initiative
On 25 July 2016, the Dutch National Police, Europol, Intel Security and Kaspersky Lab announced the launch of the No More Ransom project – a non-commercial initiative that unites public and private organizations and aims to inform people of the dangers of ransomware and help them to recover their data.
The online portal currently carries eight decryption tools, five of which were made by Kaspersky Lab. These can help to restore files encrypted by more than 20 types of cryptomalware. To date, more than 4,400 victims have got their data back – and more than $1.5 million dollars in ransom demands has been saved.
No More Ransom has so far got 4.400 people their data back – and deprived criminals of $1.5 million in ransom #KLReportTweet
In October, law enforcement agencies from a further 13 countries joined the project, including: Bosnia and Herzegovina, Bulgaria, Colombia, France, Hungary, Ireland, Italy, Latvia, Lithuania, Portugal, Spain, Switzerland and the United Kingdom.
Eurojust and the European Commission also support the project’s objectives, and more partners from the private sector and law enforcement are expected to be announced soon.
“Public/Private partnerships are the essence and the strength of the NMR initiative. They are essential to effectively and efficiently tackle the problem, providing us with much greater capability and reach than law enforcement could have alone.”
Steven Wilson, Head of Europol’s EC3Standing up to ransomware – how to stay safe
- Back up data regularly.
- Use a reliable security solution, and remember to keep key features – such as System Watcher – switched on.
- Always keep software updated on all the devices you use.
- Treat email attachments, or messages from people you don’t know, with caution. If in doubt, don’t open it.
- If you’re a business, you should also educate your employees and IT teams; keep sensitive data separate; restrict access; and back up everything, always.
- If you are unlucky enough to fall victim to an encryptor, don’t panic. Use a clean system to check our No More Ransom site; you may well find a decryption tool that can help you get your files back.
- Last, but not least, remember that ransomware is a criminal offence. Report it to your local law enforcement agency.
“We urge people to report an attack. Every victim holds an essential piece of evidence that provides invaluable insight. In return, we can keep them informed and protect them from dodgy third-party ‘offers’ to unencrypt data. But we need to ensure that more law enforcement offices know how to deal with digital crime.”
Ton Maas, Digital team Coordinator with the Dutch National High Tech Crime unitWhy you shouldn’t pay – advice from the Dutch National High Tech Crime Unit
- You become a bigger target.
- You can’t trust criminals – you may never get your data back, even if you pay.
- Your next ransom will be higher.
- You encourage the criminals.
We believe we can – but only by working together. Ransomware is a lucrative criminal business. To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks.
1Estimates based on: 17% of 372,602 unique users with ransomware attacks blocked by Kaspersky Lab products in Q1, 2016 and 23.9% of 821,865 unique users with ransomware attacks blocked by Kaspersky Lab products in Q3,2016.