News: CBR helps you keep one step ahead of fast-moving ransomware.
It is no secret that ransomware shows no signs of stopping – a recent report from Malwarebytes found that 54% of UK companies were hit by ransomware in the last year. Ransomware is so effective as it is constantly evolving, with new strains and variants of malware being found everyday. Helping you keep one step ahead of the threat, CBR looks at the most recent ransomware discoveries.
McAfee Labs discovered El Gato, a cat-themed ransomware which targets Android users. The ransomware works with hackers using a seemingly innocent and cute image of a cat when a device has been infected and locked. Capable of stealing victims’ SMS messages and encrypting their files, the ransomware also comes with a web-based control panel service with built-in botnet capabilities.
However, the ransomware has been found to be easily decrypted using the hardcoded password, which may suggest that this strain is currently under development. Troy Gill, manager of security research at AppRiver, said:
“It’s not surprising at all to see a next step in the evolution of Ransomware. Ransomware has proven an effective business model and this approach will most certainly be embraced as a “new” method for revenue generation. On the bright side, people are more likely to have a recent backup of their mobile device since they are often scheduled to be backed up automatically.
"This should help reduce the effectiveness of this attack to an extent. But just like PC Ransomware, those who are not maintaining robust back-ups will find themselves in a precarious position should they suffer an infection like “El Gato”. The best defence is still keeping a regular offline back up.”
AVG malware analyst Jakub Kroustek discovered Hitler-Ransomware, a strain seemingly developed by less-skilled hackers and using file deletion as a method of attack. When infected, the ransomware displays a picture of Hitler alongside text which says that files have been encrypted.
"However, this strain of ransomware does not actually encrypt any files, instead removing the extension for all the files under various directories. If the cash code or 25 Euro Vodafone Card is not given for ransom, then the ransomware crashes the victim’s computer and, on reboot, deletes all files under the %UserProfile%. Thomas Pore, Director of IT at cyber security firm Plixer, said:
“It’s interesting that this variant does not actually encrypt the files, possibly for detection avoidance. However the approach to delete all of the files upon reboot after initiating an OS crash leaves users few alternatives. This is why users will likely continue to pay the ransom. The FBI is taking a firm stance on not paying ransoms, however each case is different.
“A routine off-site or off-network backup is the only sure-fire way to recover from ransomware. User training to identify phishing attacks is also paramount. Users just love clicking on URLs in email. Implementing software white-list or restriction policy could potentially stop the malware from running as well.”
The active and quirky ransomware strain Cerber has received a major update – one which breaks a decryption tool that was effective for the initial strain of ransomware.
Initially, Cerber evaded common antivirus checkers by updating its hash all the time. This left antivirus products without a signature in which to compare the malware against. However, Cerber’s success was relatively short-lived after Trend Micro devised a free decryptor tool which cracked the ransomware. This forced the ransomware’s authors to go back to development, with their most recent version of Cerber already seen online.
The authors have made huge altercations with Softpedia reporting: “Cerber v2 uses the CryptGenRandom Microsoft API to generate encryption keys, which are now 32 bytes long instead of 16 bytes.” Trend Micro researchers have said that there is no solution as of yet to this latest variant.