ransomware, blackmail
Image by Kaptnali from Thinkstock.com

Ransomware is at the top of today’s news, with more effort going into finding sources and reports of two new variants.

On Saturday the Globe and Mail reported that the Five Eyes group of intelligence-sharing countries — Canada, the U.S., Britain, Australia and New Zealand — are making a major effect to attack the sources of ransomware. One RCMP official is quoted as saying it looks like criminals are industrializing cybercrime with ransomware.

This comes as a number of security vendors and researchers report the spread of ransomware is increasing, although other forms of malware still account for the majority of other infections. Still, for the harm it causes by denying access to corporate data ransomware is something to be feared.

Here’s some new developments:

–on Monday researchers at Malwarebytes published a blog on the latest version of the DMA Locker ransomware, which is for the first time being distributed through the Neutrino exploit kit. “This change is another step towards maturity of the malware, showing that now this threat will be spreading on a bigger scale,” says the posting.

Unlike previous editions, Version 4.0 can’t encrypt files offline. It needs to download the public RSA encryption key from its command and control server. So if the malware file — usually a PDF — has been opened on a computer without an Internet connection, it will just install itself and waits until the user goes online. Then the following graphic is displayed:

dma_gui4

–last week researchers at Virginia-based endpoint security vendor Invincea warned of a ransomware variant of the Cerber family that not only holds the victim’s machine and data hostage until a ransom is paid could also be used as part of a potential DDOS attack.  You get two attacks for the price of one, it dryly noted.


The vector is a weaponized Office document spread through phishing. The victim is prompted to allow macros to run in Microsoft Word, which gives the malicious document the necessary elevated privileges, says Invincea.  The macros spawn an elevated command shell on the host, which executes an encoded VBscript and from there encrypts the computer.

The researcher notes binary code could also be used to carry out a DDoS attack because network traffic in the example studied seemed to be flooding the subnet with UDP packets over port 6892.  “By spoofing the source address,” says the researcher, “the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive.

For CISOs, ransomware poses a problem: It’s impact on the enterprise can range from annoying — one PC needing to be trashed — to almost putting the organization completely offline if the infection spreads.

Still, as an IBM blog notes, an official of Enigma Software says so far ransomware accounts for less than one per cent of all infections detected. Adware and rogue anti-spyware account for 40 per cent of infections, that official said — but, they are less dangerous.

Finally, security teams might find this April posting on the innards of the Locky ransomware useful. What particularly caught my eye is the description of how to find when the infection occurred, which is needed to figure out how far back you need to go to restoring from a backup that isn’t compromised.

Now more than ever CISOs have to mount vigorous — and regular — anti-phishing campaigns to make sure employees slowly and carefully read emails and think before clicking on links. And because someone will inevitably slip, backup and recovery is a vital defence.

The Enigma Software report can be found here.