Tick TOX – Time’s Up

Ransomware seems to be flavour of the month for malware authors. We’ve been seeing evil offspring of Cryptolocker et al pop up on a near weekly basis – all following that same tried, tested and presumably profitable principal of holding a user’s encrypted files to hostage until a bitcoin or similar anonymous payment is made. Blackhat programmers with a degree of crypto knowledge are presumably in high demand right now.

Whilst ‘toolkits’ that allow non-programmers to produce bespoke malware variants with a few clicks are fairly common for the longer standing residents of the malware world – things like remote access trojan (RAT) and spambots, there hadn’t really been anything comparable for producing ransomware-on-demand (maybe we should be vogue and call it software defined malware?). That changed with the discovery this week of ‘TOX’ a platform that essentially offered anyone more adept than your average five-year-old the ability to ‘next-next-finish’ their way to producing a customised and anti-virus evading bit of cryptolocker style malware.

Although fairly amateurish in many ways, the TOX toolkit is entirely web based and trivially easy to use. All you needed to become a malware author was provide a ransom message, price and destination bitcoin address for payment. TOX then handled all the otherwise ‘hard’ aspects – maintaining the decryption keys and handling payments from desperate users – all for a mere 30% cut of whatever ransom that malevolent five year old chose. It’s a really worrying sign of things to come and yet another sign that crypto malware is here to stay. McAfee have a fuller write up on TOX over here – it’s worth a look at the screenshots in particular make it strikingly clear how easy this was to use.

I saw ‘was’ because clearly the publicity from McAfee wasn’t entirely welcome news for the author of TOX. A post appeared on Pastebin a couple of days ago (http://pastebin.com/FfdDSbBh) suggesting the whole endeavor was the work of a bored teenager who’d hoped to stay under the radar and wasn’t really prepared to scale-up the platform to meet demand (GCSEs coming up, we wonder?). Instead he’s called it quits and has put the platform code up for sale to the highest bidder. 

Of course we can only hope that it ends up in the hands of an academic or researcher rather than criminals, but in any case it’s simply a matter of time before someone with more commitment emulates the TOX approach to ransom-as-a-service.

Our advice to mitigate these kinds of threats remains the same – invest both in user education and the implementation of detection techniques that move beyond traditional signature based antivirus. Things like host intrusion protection systems (HIPS) and sandboxing will be your friends here. Monitoring your organisation for signs of Tor traffic is also advised – it’s a strong indicator of suspicious activity and becoming an increasingly common C&C mechanism for malware.

We do understand that that 24/7 monitoring the diverse and noisy logs that those HIPS, sandboxing, firewalls and IPS produce is extremely challenging. Our NetSure360° platform can help make it simple – cutting out the background noise and alerting you on what you really need to know about the threats your organisation faces. If you want to understand more about how we do this, then please do get in touch via the normal means – [email protected] or 0207 517 3900.