RansomwareNewz – The Rocky, Locky Horror Picture Show

Welcome to the RansomwareNewz Desk, where we’ll be bringing you all you need to stay up to date and informed about everything ransomy, wary and newsy.

FROM RUSSIA WITH LOVE

First, it’s off to Russia via New York and The Late Show, where last week, host Stephen Colbert’s opening monologue contained a piece about hackers. Save for the Hillary Clinton/DNC e-mail leak and one more minor news story which escapes us, it’s the first time (we can think of) that hackers have been given airtime on a major chat show.

The news was that Russian cyberspying groups like Energetic Bear have hacked over one hundred U.S. conventional and nuclear power plants in 2017.

While it may be news to The Late Show and the rest of America, we know this kind of cyber warfare happens all the time. The New York Times even ran an article on Energetic Bear hacking Western oil and gas companies way back in 2014.

After gaining access to power stations, the groups gather intelligence, technical drawings, passwords and crypto keys but don’t worry – in a cyberwarfare version of Rocky 4, we definitely do to them what they do to us.

FROM ROCKY TO LOCKY

From Rocky to Locky now – the another red menace that keeps coming back to haunt us, like Ivan Drago.

Locky ransomware first appeared in 2016 but then disappeared in December, reappearing in January – the highly sophisticated professionals behind it perhaps on a Christmas break. It hit big again in February before going on to make less appearances in the first half of the year than Justin Timberlake on Jimmy Fallon.

Then last month, in August, back Locky came with a vengeance in the form of 23 million spearphishing e-mails, locked and loaded with a Locky payload that contained a double-whammy sucker punch combo – two new Locky versions named Diablo and Lukitus, we think named after The Devil in Spanish and Jean Luc-Picard’s Borg name.

Locky is distributed via the Necurs botnet – an army of over five million hacked (zombie) devices and seems to have taken most casualties in India. The country’s governmental Computer Emergency Response Team (CERT) issued an alert warning “The contents of the original files are encrypted (renamed to .locky) using an RSA-2048 and AES-1024 algorithm. The compromised user has to pay the attacker to get the files decrypted.”

Yet, while agencies issue warnings and the world remains vigilant, a recent study suggests that Locky Ransomware has raised over $8 million for cybercriminals. That’s more than Rocky made in his entire career. 

NEW RANSOMWARE FAMILIES

New additions to families can be joyous occasions – like newborn babies but when researchers at Microsoft discovered 71 new ransomware families in the first half of 2017, it was more like that dreaded day all fathers fear – the day when greasy-haired, frog-eyed biker, Dwayne asks for your daughter’s hand in marriage.

Volume 22 of Microsoft’s Security Intelligence Report highlights the evolution of ransomware and explore how attacks became more complex in the first half of this year. Ransomware encounters consistently declined from August 2016 through March 2017, when the trend reversed and attacks became more frequent and complex… with NotPetya, WannaCry, Spora, and other new variants which spread quicker and farther than earlier forms of malware.

Just like frogspawn in springtime, these new ransomware families hatched at a faster rate in 2017 and contributed to the March increase. In the first half-year, researchers discovered 71 new ransomware families, an increase from the 64 new families uncovered during the same months in 2016.

SYNACK HACK ATTACK

Speaking of new variants, the first half of September saw a spike in activity from a relatively unknown strain of ransomware called SynAck. According to Bleeping Computer, SynAck was first spotted on August 3rd and experts quickly determined that they were looking at a whole new ransomware strain altogether before it ‘mutated’ into three distinct versions.

Once infected, SynAck drops a ransom note on the user’s desktop. But unusually, this ransomware doesn’t employ a Dark Web-hosted payment portal, instead asking users to contact its author via email or a BitMessage ID.

If and when you do reply, you’ll receive a ransom demand for $2,100.

It often strikes us how polite some of these ransom notes are – the author even recommending the best way to go about buying Bitcoins. Later, the author of the SynAck Ransomware allegedly revealed himself on forums, I hope he’s just as polite when he’s handcuffed in the back of a black FBI SUV… probably politely recommending the best route back to Langley.

AND FINALLY…

Like all the best news stations, we here at RWNZD, Boston like to sign off with a story of a one-eyed cat who loves to surf and a reminder to stay safe. So before we bid you Aloha (Hawaiian for goodbye as well as hello) we’ll quickly reveal that those self-same same Microsoft researchers who wrote the above report detected a 300% increase in user accounts attacked over the past year and a 44% growth in the number of account sign-ins attempted from malicious IP addresses – many of them the result of weak, guessable passwords.

The RansomwareNewz Desk will be back soon until then, the moral of the story is – locky up your daughters… and your passwords.

 

Leave a Reply

Your email address will not be published.