Friday, October 22, 2021

New versions of ransomware discovered

Ransomware has a great advantage for criminals over other forms of cyber plunder: It’s fast, and and it works.

Forget about the months it may take to craft a spear phishing campaign, infiltrate a target, find and assemble data to exfiltrate and then try to sell the information. Ransomware can be widely disbursed, with the threat actor only having to sit back and watch the bitcoin roll in. It counts on victims being unprepared with backups and desperate to restore their systems. Criminals don’t even have to compile code because there are ransomware-as-a-service sites on the Dark Web.

So it’s no surprise that one unnamed security expert told CSO Online that ransomware pulled in US$1 billion last year.

This week there’s news of three more versions of ransomware in the open:

–Following up on last month’s discovery of two actors attacking misconfigured MongoDB databases, a third participant has popped up  who has hit 221 victims so far. Victims are given 72 hours to email to send .15 bitcoin to a specified wallet. The post says it isn’t clear if these are actually three different people, or the same person using different names. A number of  MongoDB installations are backup or test environments running on Amazon AWS, the post also notes, so the victims may not know yet they’ve been hit;

–A ransomware family called FireCrypt has been discovered by MalwareHunterTeam, which comes as a kit for building the malware. According to this post the author uses a command-line application that automates the process of putting FireCrypt samples together, giving the ability to modify basic settings without having to tinker with bulky IDEs that compile its source code.

Compared to other ransomware builders, says this report, FireCrypt is relatively unsophisticated. Still, authors can generate a unique ransomware executable, give it a custom name, and use a personalized file icon to disguise the executable as a PDF or DOC file;

–Someone with a strange sense of humor has created a ransomware version that tries to teach victims a lesson in safe computing. Dubbed Koolova, it gives victims a decryption key not for money but for reading two security articles, one of which is a Google Security Blog called Stay safe while browsing. Don’t read the articles and the machine stays encrypted. A security researcher discovered the code while it’s still under development. So far, apparently, it’s not in the wild.

Security experts are divided on what 2017 will see for ransomware, with some believing it will dramatically expand while others forecasting a decline as law enforcement agencies around the world band together to fight the malware.

Just before the year ended McAfee was one security vendor that predicted a decline in ransomware compared to 2016 — although that drop won’t start until the second half of this year.  “We predict that initiatives like the No More Ransom! collaboration (a site with a collection of decryption tools), the development and release of antiransomware technologies, and continued law enforcement actions will reduce the volume and effectiveness of ransomware attacks by the end of 2017,” it forecast. 

As always the best defence an organization has against malware is an updated backup.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News