Announcement

Collapse
No announcement yet.

Windows PC users beware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows PC users beware

    CryptoDefense is a sophisticated hybrid ransomware design using several advanced techniques and phishing to extort money from victims.


    CryptoLocker Has A Competitor That Is Worse: CryptoDefense



    This is a rare Cyberheist NewsFlash that we send out when we run into something important enough to alert you about right away. Please forward this to your friends and colleagues.

    More data became available since the first time I reported on this, so here is a more in-depth warning about new very nasty ransomware.

    As we said before, there is furious competition between cybergangs. Late February 2014, a CryptoLocker ransomware copycat competitor called CryptoDefense was released which outdoes the original.

    They did their test-marketing in many other countries like the UK, Canada, Australia and others. They are now targeting the U.S. as you can see in this infection heatmap picture generated by Symantec. They are making tens of thousands of dollars per month with this technically sophisticated scam.

    If an end-user opens the infected attachment, the CryptoDefense ransomware encrypts its target files, and the criminals charge approx. $U.S. 500 in Bitcoin to decrypt the files. If their four-day deadline passes by, the amount goes to about $U.S. 1,000. Note that Bitcoin exchange rates vary so these numbers are ballpark, and that CryptoDefense is much more expensive to unlock than CryptoLocker.

    The ransomware target files are text, picture, video, PDF and MS Office files and CryptoDefense encrypts these with a strong RSA-2048 key which is hard to undo. To add insult to injury, it wipes out all Shadow Volume Copies. Instructions with the ransom demands are added to every folder containing encrypted files. This stinks.

    When the hapless end-user clicks the attachment, CryptoDefense connects to four remote domains and sends basic information about the infected workstation. Then, the files on the end-user machine are encrypted, and the private key is sent back to the Control & Command server.

    Last, the malware makes a screenshot of the active screen of the end-user workstation and uploads this to their C&C server. That screenshot appears on the payment page where the victim can upload the Bitcoin payments. To reach this page you first need to install the Tor Browser as the payment page is only available via the Tor network, which helps the criminals hide from the law to some degree.

    This new CryptoDefense ransomware does not seem to be a derivative of CryptoLocker as the code is completely different, confirming this is a competing criminal gang. Malware has bugs too, and the Symantec researchers wrote: "Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape". But by the time you read this, the hackers said "Spasiba Symantec" ("Thank You" in Russian) and that bug has been fixed.

    RANSOM

    CryptoDefense Ransom ScreenIf the victim does not pay within a month, the private key of the encrypted files will be deleted so that access to the encrypted files is no longer possible. They are using RSA-2048 encryption using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. Getting the files back is very hard if you do not have recent backups (made without using Shadow Volume copies).

    INFECTION VECTOR

    It appears that this infection initially was installed through programs that pretend to be flash updates or video players required to view an online video, and then moved on to a variety of different phishing attacks that all show an email with a zip file and ask to "open the attached document" with is supposed to have been "scanned and sent to you".

    PAYMENT ADDRESSES

    CryptoDefense allows you to pay the ransom by sending Bitcoins to an address shown in the malware's Decrypt Service page. Often people wind up paying the Bitcoins, as they find their backups could not be restored for a variety of reasons.

    It is obvious that this again is a social engineering play and that effective security awareness training will prevent your end-users from opening these infected attachments when they make it through the filters (which they regularly do).

    Once infected, the only way to fix this relatively fast is to make sure you have a recent backup of the files which actually can be restored. Wipe and rebuild the machine from scratch, and restore the files. We see an average of three hours of admin work for this.

    Recent ransomware infections were users opening an attachment with a "voice mail message" from AT&T, but there are variants from other Telco companies. Users then admit to opening the attachment but saying it did nothing, however they could not open their files afterward.

    STOP FILES FROM BEING "RANSOMWARED"

    Like we said, make sure your daily backups can be restored. And training your end-users to prevent fires like this is a must these days. So, go to the KnowBe4 website and get a quote for the amount of users in your organization. Do it now, before a user gets social engineered and their files are "ransomwared"

  • #2
    I'm so sick of these bastards. All it takes is one uninformed end-user to lock down a whole company, and usually the damage is way past irreparable once someone notices it. The only way to defeat it without paying is to make sure you have KNOWN working backups, wipe the whole computer, and hope you don't lose too much work because of having to restore files from probably a week ago.

    Comment


    • #3
      That hit my job pretty hard.

      Comment


      • #4
        Lol have any of you seen the fake fbi malware that pops up while looking at porn? It activates your camera and shows you on the screen then says you can pay to have it removed lmfao

        Sent from my HTC One using Tapatalk

        Comment


        • #5
          Originally posted by dsrtuckteezy View Post
          Lol have any of you seen the fake fbi malware that pops up while looking at porn? It activates your camera and shows you on the screen then says you can pay to have it removed lmfao

          Sent from my HTC One using Tapatalk
          That's scary
          2012 GT500

          Comment


          • #6
            Originally posted by dsrtuckteezy View Post
            Lol have any of you seen the fake fbi malware that pops up while looking at porn? It activates your camera and shows you on the screen then says you can pay to have it removed lmfao

            Sent from my HTC One using Tapatalk
            That shit's old, and easily removed if you know what you're doing. It still scares a lot of people though, lol.

            Comment


            • #7
              Originally posted by Ratt View Post
              That shit's old, and easily removed if you know what you're doing. It still scares a lot of people though, lol.
              Didn't it scare someone enough to shoot his son and kill himself (in some third world country)?

              Comment


              • #8
                Originally posted by roliath View Post
                Didn't it scare someone enough to shoot his son and kill himself (in some third world country)?
                I believe so.

                Comment


                • #9
                  I just got a call from one of the scammers telling my PC is infected and is sending alerts to Microsoft and he contacted me to help me resolve the issue. If I were not on a conference call, I would have stayed with it and drag him along. I was baiting him pretty good so much so I told him he would have to call back later so we could continue. Now I am thinking about how I want to play it. I might starting talking like "Radio" but with tourettes.

                  Comment


                  • #10
                    It really doesn't take much to stay ahead of these things as long as you are sure to run good security SW and allow it to update regularly. If you run Windows you should take advantage of one of the many free security solutions from Microsoft as well....

                    Get security intelligence updates for Microsoft Defender Antivirus. Submit files and URLs for analysis. Give feedback about our detections. Read about viruses, malware, and other threats.


                    ...and most importantly, be sure to keep updated with all the new definitions as soon as they are released. This Trojan was covered under definition #1.169.1618.0, which was released by MS back on 11/15/13....4.5 months before this blog was written.
                    70' Chevelle RagTop
                    (Forever Under Construction)



                    "Opportunity is missed by most people because it is dressed in overalls and looks like work.”- Thomas A Edison

                    Comment


                    • #11
                      OSX = no worry ...
                      07 GT500
                      05 SRT10
                      88 turbocoupe T-bird
                      93 Cobra
                      86 coupe
                      Ducati 848

                      Comment


                      • #12
                        Originally posted by mk5.0 View Post
                        OSX = no worry ...
                        Yeah, sure.

                        How about this one...


                        When the government pays, the government controls.

                        Comment


                        • #13
                          It's a stretch to say no worries with threats like the SSL issue that left a serious hole for hackers for months before it was fixed, or the numerous Java issues, Botnet, PW, or otherwise that have plagued Apple users. There are plenty....do your research and be informed regardless what your preference is.

                          Matter of fact, Apple or PC - all web clients are just as vulnerable to these sort of entry points.

                          ...and I'll give you that Apple is less of a threat percentage wise, however you also have to account for what overall percentage OSX is sitting on desktops compared to Windows....worldwide that's about 15% or less compared to 70% or more with Windows. (Only about 8% for OSX in the enterprise market)

                          Knowing those numbers....If you were a hacker for a living, which one would you spend more time focused on?
                          70' Chevelle RagTop
                          (Forever Under Construction)



                          "Opportunity is missed by most people because it is dressed in overalls and looks like work.”- Thomas A Edison

                          Comment


                          • #14
                            Imho, I think the best way mitigate this is to only run on a Standard User Account. It doesn't have the privileges necessary to install software that can affect the whole OS Environment. I may be wrong about this, but it's the single best way to keep your everyday malware off a pc, and best of all, it's free.

                            Comment


                            • #15
                              Originally posted by Tx Redneck View Post
                              Imho, I think the best way mitigate this is to only run on a Standard User Account. It doesn't have the privileges necessary to install software that can affect the whole OS Environment. I may be wrong about this, but it's the single best way to keep your everyday malware off a pc, and best of all, it's free.
                              Only partly correct, unfortunately. There are several ways around permissions and UAC that a lot of these programs use.

                              There's only so much you can do against threats like this that target large environments with tons of end-users. Keeping absolutely up-to-date backups is the number one priority these days, and not just because of malware/ransomeware/viruses. End users are ridiculously capable of fucking something up on accident... I can't tell you how often I have to restore something that an end-user somehow screwed with, regardless of their permission level/security measures. It's getting to the point where these people are leaning on it as a crutch instead of a last-ditch effort.

                              After backups, a good (and as continuously up-to-date as possible) AV/Anti-Malware client is probably tied for second along with end-user education.

                              Then you get into things like restricting user permissions and Group Policy updates that keeps programs/apps from running in certain locations (see: cryptoblocker GPO). The problem with things like this is that nobody wants the hassle of having to go get someone with administrative permissions to do everything.


                              Edit:
                              Originally posted by mk5.0 View Post
                              OSX = no worry ...
                              Rreemo touched on this, but the only reason Apples/Macs don't get malware or viruses as often is because of their <7% market share. Nobody is going to write a virus that targets the smallest number of users out there. As Apple/Mac keeps gaining market share, the demand for virusus and malware for these platforms will grow. They have all the same vulnerabilities that Windows PCs have, it's just that nobody has bothered with that small percentage of users thus far.

                              Comment

                              Working...
                              X