Version 4 of Ransomware Launches

Friday, October 27, 2017 @ 06:10 PM gHale

A wave of new but related IKARUSdilapidated Locky ransomware attacks ended up revealed this month, researchers said.

The October campaign is hitting tens of thousands of endpoints as an “unknown” file and therefore bypassing malware signature-based IT security (and even machine learning-based artificial intelligence tools), said researchers at the Comodo Threat Intelligence Lab.

Industrial Networks on Internet: Report
Ransomware Infections Reported
New Ransomware Attack Approach
New Ransomware Targets Android

The hackers use a botnet of “zombie” computers under their control to coordinate a social engineering-based phishing attack targeting businesses and individuals, researchers said.

The social engineering aspect involves the botnet sending emails to busy workers appearing to be about a “Supplement payment” from a legitimate source. As with the other IKARUSdilapidated attacks, clicking the attachment ultimately encrypts the victims’ computers and leads to a bitcoin ransom demand.

This targeted campaign started on October 11, with the main thrust ending October 13. The entity distributing these emails was not adding the attachments correctly, causing the attachments to not be visible to the recipient when opened. Instead, they appeared as a blob of base64 encoded text.

This was the fourth version of the Comodo Threat Intelligence Lab researchers discovered since August. The Comodo Threat Intelligence Lab monitors, filters and contains, and analyzes malware, ransomware, viruses and other “unknown” potentially dangerous files in over 190 countries around the world.

This malware is distributed with the “.asasin” extension and a Visual Basic Script (and has a “.vbs” extension). All four waves of the IKARUSdilapidated attacks were designed with enough new code to fool security administrators and their machine learning algorithms and signature-based tools and included interesting social engineering variations aimed to fool the employees receiving the emails as well.

The encrypted documents in this new attack have the new “.asasin” extension. In these attacks, “.vbs” files are distributed via email. This shows that malware authors are continuing to develop variations quickly to reach more users at firms which allow new, unknown files to enter their infrastructure through the endpoint. This unfortunately includes many firms in the F1000 as well as small and medium-sized enterprises.

The victims end up with a ransomware demand screen so familiar to the victims of the first three waves of IKARUSdilapidated Locky attacks during the summer months and September.

Phishing and Trojan experts from the Comodo Threat Intelligence Lab detected these “Locky” ransomware attacks and verified they began on October 11 with more than 10,367 instances of phishing emails detected at Comodo-protected endpoints within just the first three days. The attachments were read as “unknown files,” put into containment, and denied entry until they were analyzed by Comodo’s technology and, in this case of A.I.-eluding sophisticated new malware, Comodo Threat Intelligence Lab human experts.

The Lab’s analysis of emails sent in the “Supplement payment” phishing campaign revealed this attack data: 9,177 different IP addresses being used from 143 different country code top-level domains maintained by the Internet Assigned Numbers Authority (IANA).

When the Lab analyzed the sources and compared them to the IP addresses that participated in the last three campaigns, 546 of the same IP addresses were used along with 8,631 different IP addresses utilized in this attack. This is another sign of either under-resourced or inadequately trained IT security staff (or likely both).

“The attacks from these hackers will continue as long as firms continue to utilize the inadequate strategies and tools from legacy vendors.” said Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL). “The unknown file problem is getting worse and we strongly encourage CSOs to reevaluate their “default allow” security posture and to evaluate next generation auto-containment and other isolation technologies which protect against new or newly malware like that used in these IKARUS Locky attacks.”

Leave a Reply

You must be logged in to post a comment.