Newest Ransomware Released
After about my second blog article on Ransomware, I quickly realized it was going to be a regular topic in rotation for us. There isn’t a day that goes by that Ransomware isn’t in the news. The scary thing about Ransomware is the amount of different strands of it being introduced and the success rate they are having. What is even scarier though, is that organizations are still not taking the time to fully educate themselves on this topic. Every day, someone within your organization should be spending time educating themselves on this topic. If you do not have dedicated tech support internally, you should ALWAYS contact your IT Consultant for help before you pay a ransom or do anything at all if you become infected.
The newest form of ransomware is VindowsLocker. VindowsLocker targets Windows OS and its current method of distribution is unknown. Unlike traditional tech support scams that just try to take money from its victims by pretending to be helpful, VindowsLocker creates a real problem by locking up the victim’s files and then offers to help. Once a system is infected, VindowsLocker encrypts targeted files using AES and appends .vindows to the file names. It then displays a screen that instructs the victim to call a “level 5 Microsoft support technician” using a specific phone number in order to pay the ransom and regain access to their files. This variant doesn’t use a web-based C2 server to store the encryption keys but instead hardcodes two Pastebin API keys which eliminates the need to establish and host a server. If victims decide to call the phone number on the ransom note, they will reach a call center, rumored to be in India, posing as Microsoft support. The technician will then request remote access into the infected system and the payment demand to fix is $349.99. Do not pay the $349.99. I repeat, do not pay the $349.99 The two Pastebin API keys will expire, as they can only be used in a single session. So there is no need to call into the call center and pay the ransomware. The developers of this strand are definitely more amateur than what we have been seeing released lately, but organizations that are not properly informed are paying the ransom.
Over the weekend, the San Francisco Transit Authority was hit by HDDCryptor. HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a demanding routine makes this particular ransomware a very serious and credible threat not only to home users, but also to enterprises. Late yesterday, Carleton University was hit by ransomware, the strand still unidentified. As of this morning, no further details have been released except confirmation they were asked for a ransom to release their encrypted files. There have been recent rumors that Locky ransomware has been using decoy image files to ambush Facebook and LinkedIn accounts. Facebook is denying these allegations, but there are Security Research Firms confirming this. Stay tuned for new details as they are released. But it serves as a good reminder to be very careful on what you click on and what sites you visit.
Here are some easy steps you can take to protect yourself and your organization from Ransomware; educate yourself daily on the newest threats released and developments with old threats, make sure your organization is protected from outside threats by only running updated software and hardware, ensure you have anti-virus and malware protection software installed, and make sure you have an IT Consultant on speed dial that you can call if an outside threat occurs or presents itself. The quicker you get help, the better your chances to minimize the damage caused. 2W Tech is an IT Consultant that specializes in Security and Recovery solutions and would be happy to discuss ways your organization can protect themselves from outside threats.
Enjoyed reading this article? Click the button below to download:
Don’t Be Extorted eBook