Two New Ransomware Strains
Warning: two new strains of ransomware that have been discovered, giving IT security a heads up on how to spot and handle
Tampa Bay, FL - KnowBe4 CEO Stu Sjouwerman has issued a warning to IT security folks to be on the lookout for two new strains of ransomware. The first is a new strain of ransomware named OphionLocker. It encrypts your data using strong open source Crypto++ Elliptical Curve Cryptography and then ransoms the files for about 1 Bitcoin. The infection vector is limited to hacked websites, utilizing exploit kits that hack into unpatched computers. The ransom amount varies between countries where the victim is located, with the U.S. having the highest rates.
Sjouwerman said, “The new wrinkle is that when a workstation is infected with OphionLocker, it will generate a unique hardware ID based on the serial number of the first hard drive, the motherboard's serial number, and other information. It will then contact the malware's Control & Command server via TOR site and check if this particular hardware ID has been encrypted already. When you go to the ransomware site, it will prompt you to enter your hardware id. Once entered it will display the amount of ransom you are required to pay and provide a bitcoin address that you should send the payment to.”
This ransomware does not (yet) securely delete your files or remove the shadow volume copies. Therefore it is possible to recover your files using a file recovery tool or a program like Shadow Explorer.
The other major threat now exploding is TorrentLocker. The cybercrime gang behind TorrentLocker has earned $40 million between March and December 2014. Researchers from IT security company ESET have tracked the Bitcoin wallet that received the ransom payments, and since March a whopping 82,000 Bitcoins have been paid to that wallet. TorrentLocker was first uncovered in August by iSight Partners and was seen to be using phishing attacks targeting the UK and Australia, but has since expanded its reach to target more countries including Italy, Czech Republic, Germany, and Turkey. It looks this is another eastern European cyber gang that is getting ready for their assault on the U.S.
From ESET's main office in Bratislava, malware researcher Robert Lipovsky said that the TorrentLocker was sophisticated with the cryptography aspect of the malware "done quite well", using AES with 256-bit keys, and those keys are stored on a remote sever meaning there is no way of decrypting the victim's files like CryptoWall. ESET plans to publish an extensive report on the development of TorrentLocker next week.
Sjouwerman advised; “The message is patch your systems diligently, and step your users through effective security awareness training to make sure they don't fall for social engineering tricks.”