Compromised websites are an integral part of the cybercrime ecosystem. They are used by cybercriminals to host a wide range of malicious content, including phishing sites, exploit kits, redirects to other malicious sites, and other tools needed to carry out attacks. Why? One reason is because there is an abundance of insecure websites around the world that can be easily compromised. Another reason is because legitimate sites that have only been recently compromised are less likely to be blacklisted by internet browsers and other security measures.
With low overhead and risk of prosecution, ransomware attacks have outpaced banking Trojans in sheer number of incidents, if not profit. Ransomware’s rapidly growing popularity has spawned dozens of variants, subtypes, and families as threat actors seek to outmaneuver researchers and competitors. In this dynamic threat landscape, alongside monitoring the established ransomware families for any change in tactics, techniques, or procedures, we monitor social media and underground markets for emerging threats. Through this process, our team was alerted to and began an investigation of what is likely a new threat actor’s first attempt at ransomware design and distribution.
Recently we observed a new type of ransomware, called Alma Ransomware, being delivered via exploit kit. Often hidden on web servers, exploit kits (EK) are toolkits used by threat actors that exploit vulnerabilities in visiting users’ web browsers to deliver malicious payloads. Alma Ransomware (MD5 Hash: 92f8a916975363a371354b10070ab3e9) was observed being delivered via the RIG Exploit Kit. The malicious payload tripped only one indicator on VirusTotal at 2016-08-22 14:51:15 UTC:
Figure 1: VirusTotal indicator from day 1 of circulation.
Hackers targeting bitcoin wallet users are once again leveraging Google’s AdWords in their most recent campaigns. Phishlabs has previously seen similar attacks against banks and online gambling sites over the past year. Some of the most recent attacks have targeted Blockchain and Kraken and have been widely blogged and tweeted about over the past week. As seen in the screenshot below, a Google search for “blockchain.info” returns a Google ad for a look alike domain “blockchian.info” (figure 1). Kraken has released a statement via their blog acknowledging the ongoing campaigns and its attempt to mitigate the threat which can be read here.
Figure 1 Sourced https://twitter.com/myetherwallet/status/766360476246618113
That awful moment…You’re working away, getting tasks ticked off left and right…
And then it happens. A terrible sinking feeling grips your stomach, and you know immediately what’s happened.
You’ve been infected with ransomware. The screen in front of you is filled with demands about Bitcoins, Tor, and encryption keys.
So what now?
You’ll have to tell your boss, of course. But once that’s done, there are some important tasks for you to complete.
While more organizations than ever before recognize the need to educate and train their employees on the dangers
of phishing attacks, it’s important that those in charge of training make sure employees understand that not all phishing probes are alike. That’s because recognizing the “smell” of a phishing attempt is a powerful defense against the malicious bag of tricks used by cybercriminals to breach your security.
In 2015, PhishLabs analyzed more than 1 million confirmed malicious phishing sites residing on more than 130,000 unique domains. While the typical consumer phishing attack has garnered much attention, the specialized business spear phishing attack poses increasing risk for a company and its employees.
Here’s a brief menu of the types of phishing attacks your employees need to recognize and avoid.
While analyzing a recent phishing campaign targeting a Canadian financial institution, we came across an interesting technique used by the phishers to exfiltrate the personal and financial data obtained from victims. Historically, phishers have most commonly used disposable email accounts to collect compromised information from phishing campaigns. Sending compromised data to a temporary email account has likely been adopted by the phishing community because email accounts are easily accessible, and mailing scripts can be used or built with very little PHP knowledge. Instead of forwarding phished data to an email account, we have also seen phishers that have stored victim information on the compromised phishing server, which allows them to consolidate all of the data into one file rather than having to sift through individual emails for each piece of information.
So far in this series we’ve covered the anatomy of a typical ransomware attack, and looked at some of the most common ransomware families.
And that’s useful information to have, but it doesn’t answer the important question:
How do I keep my organization safe?
So in this article we’ll go through some of the security measures you can take to minimize the likelihood of falling prey to a ransomware attack.
The most important thing to realize is that there’s no magic bullet. There’s no single approach, product, or vendor that can guarantee your complete safety from ransomware… or any other form of cyber attack, for that matter. (If you hear one tell you that, run away fast!)
Instead, there are three stages of defending against ransomware that you and your partners can use to make a ransomware infection far less likely.
At the end of July, the PhishLabs Research, Anaysis, and Intelligence Division (R.A.I.D.) found two major changes in the codebase of Vawtrak (a.k.a. Neverquest2) that significantly increased the banking Trojan’s persistence and the risk it poses for victims. We have discovered that the newest iteration of Vawtrak is now using a domain generation algorithm (DGA) to identify its command and control (C2) server. By using an algorithm instead of hardcoded domains, automated attempts at mitigation are rendered inadequate. Additionally, this new DGA implementation is bundled inside of a codebase that appears smaller and more efficient possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.
Ransomware is becoming an epidemic.
From schools and hospitals to police departments, pharmaceutical companies, and even private citizens, it seems like nobody is safe.
And, of course, they aren’t.
So with that being the case, let’s take a look at the different types of ransomware, the most prominent families of 2016, and what’s driving so many threat actors to use this particular style of cybercrime.