Two new reports about ransomware are drawing attention, one because it is alarming to owners of Android smart phones running older versions of the OS, the other because it explains why CryptoWall is so effective.
First, owners of Android devices who are still stuck on v. 4.x because their carriers and/or handset manufacturers aren’t passing on updates have been warned about a new ransomware campaign that can lock up their devices if users aren’t careful.
“This is a new and troubling development for the Android OS,” Andrew Brandt, a researcher at Blue Coat who discovered the vulnerability, was quoted by ThreatPost as saying. “This ransomware thrives on outdated Android devices that are not patched and will likely never be.”
The ransomware, found so far on ads on porn sites, infects the default browser on certain versions of Android through a drive-by exploit, installing a weaponized version of the Towelroot jailbreaking utility. It exploits the CVE-2014-3153 Linux kernel vulnerability.
Towelroot suppresses the normal pop-up permissions window on Android that appears when you install programs from Google Play, the story notes, so the install is in the background. Then non-crypto ransomware called Cyber.Police is installed. While files aren’t encrypted, the malware locks the device until the ransom is paid.
If the device is infected the only way to fix it is a factory reset, which destroys all data.
It’s another reminder to Android users that using Chrome or another mobile browser is better than the default one. It’s also a reminder that, hard as it is to be forced to buy a new device, if it’s running 4.x — and, according to Google. 56 per cent are — it’s time to get rid of it. When shopping demand a handset from a maker that has promised updates, and a carrier that will transmit them.
Meanwhile Imperva has released a report looking at the money trail behind one of the most successful strains of ransomware, CryptoWall 3.0. Although version 4.0 is out there, Imperva believes its collection system. In short, the report argues that “peeling the layers behind the financial infrastructure of ransomware is achievable and such investigations could be a powerful tool if undertaken by the appropriate authorities. We believe one of the reasons ransomware is thriving is the lack of action from law enforcement agencies.”
Despite using a number of techniques to maintain anonymity, including using Google Drive to deliver the ransomware, using TOR and many layers of Bitcoin transactions, Imperva shows quite a lot of information could be gathered through a Bitcoin (BTC) address provided within the ransom instructions. “We followed the Bitcoin transactions passing through the attacker’s wallet and finally disclosed an extensive infrastructure of Bitcoin wallets where the operators are profiting hand over fist serving numerous samples of CryptoWall ransomware.”
While Imperva admits CISOs may have difficulty stopping ransomware from infecting endpoints, they can do something to prevent it from infecting a file share. A few simple monitoring rules on a file share can prevent this malware from encrypting your data, says the vendor: First, look for the “HELP_DECRYPT” files—every read, write, or access action on this file discloses the infection. Second, look for temporary files that are being created and deleted cyclically from a certain computer. One or two is reasonable, but more than that requires immediate intervention.
These steps could be automated, the company adds, using a file activity monitoring product.