Trick or Treat?

Imagine a world where Trick or Treaters did the trick first, then forced you to pay them before treating you to undoing the damage. Sounds unlikely?

Unfortunately not. This is the exact Modus Operandi of the bottom feeding scumbags that run CryptoWare extortion rackets.

This week, the Cyber Threat Alliance, a joint venture of initially Fortinet, Intel, Palo Alto and Symantec to share threat intelligence, have published what they call “a significant first milestone”. A paper on the ‘Analysis of Crypotwall Version 3 Threat’. It makes for very interesting reading. You can download it here:

So what does the report tell us (just in case your time is too short to read the whole thing)?

Scale – It is estimated that this Malware has cost $365 Million to hundreds of thousands of users, both individual and corporate across the globe.

Infection – This evil is delivered by either phishing emails (67.3%) or exploit kits like Angler via drive by or watering hole methods. This is in line with ITC’s 2015 security predictions.

The phishing emails are the ones that you will all have received mentioning an invoice/fax or claiming to be ‘internal’. The attachments are usually disguised as Microsoft Screensaver files, which are the same as executables.

Once inside the system, the Malware is written straight into memory bypassing disk activity in an attempt to bypass Antivirus. The code also changes repeatedly to avoid detection.

Payload – The malware uniquely identifies the individual machine by running an MD5 Hash on the following collected data: [COMPUTER NAME] [VOLUME SERIAL] [PROCESSOR INFORMATION] [OS VERSION]. It then generates a unique key and communicates with a command and control server to save the details.

We all know what happens next – your files are encrypted and you receive a ransom message. Lovely. Interestingly the quantum of the ransoms has come down and now might appear worth it.

Payment goes through a chain of anonymous bitcoin wallets so these people cannot easily be caught or identified, yet.

The coding of this malware is clinical, professional, and brilliant even. It would make you wonder why go to such lengths to be so good, other than the fact that you have spent far too much time on your own in your bedroom and have some form of disorder, like some Northern Irish and Scouse teenagers we could mention.

Well it turns out, in the extensive research, that the entire campaign is run by a single crime outfit, who are very much richer as a result. What that means for us, is that it is a certainty that more of the same is coming.

What to do about it? Unlike the unhelpful advice of a particular FBI Agent who said “just pay”, or something along those lines, don’t pay!

Make sure that you have good backups of your data, but much more importantly, to quote Tony Blair – “Education, Education, Educaion” (actually he said “Education, Education, Education” – I just thought that was funny).

Educate your users about phishing and keep educating them, and keep educating them, and keep educating them. Got it now?

Underpin the education with really up to date URL filtering technology, DNS fluxing detection, Antivirus and Malware detection; all parts of the ITC NetSure360° Managed Security Service, and you will at least have a chance.

Good luck. These people want your money.

If you would like to discuss any of this in all of its spooky, gory detail, please contact us at: [email protected] or call 020 7517 3900.

Happy Halloween.