Alert from KnowBe4: New Ransomware Strain Encrypts Files from Memory

Alert from KnowBe4: New Ransomware Strain Encrypts Files from Memory

We are going to continue to see more and more ransomware this year and this is just the latest innovation.

KnowBe4 CEO Stu Sjouwerman issued an alert to security professionals today about a newly discovered piece of ransomware dubbed ”Fessleak” by security firm Invincea. The ransomware is Russian and delivers its malicious code straight into system memory and does not drop any files on a disk.That means almost all antivirus software is unable to catch this. The infection vector is malicious ads on popular websites that the cybercriminals are able to display by bidding on the ad space through legit ad networks.

"This particular strain is new and quite harmful as it takes advantage of file-less infections that can communicate through the TOR network," said Sjouwerman.

"We are going to continue to see more and more ransomware this year and this is just the latest innovation.”

This strain can check to ensure the host is not running on a virtual machine to frustrate security researchers and analysts. For end-users, they might visit a major site on their lunch break like HuffingtonPost, Photobucket, CBSsports, or Match.com and check out someone's "Granny opening a new iPhone video", or "These are the Charlie Hebdo cartoons that terrorists thought were worth killing over" headlines. Clicking that one link is enough to get confronted with a full screen announcing all personal or business files, photos and videos have been one-way encrypted and to get them back you need to pay a ransom in Bitcoin.

The cybercriminals first set up a short-lived burner domain directing to a landing page where the exploit kit is hosted. Then they start real-time bidding for ads pointing to the burner domain. Once their bad ad is displayed on a popular website and users clicked on it, they would be redirected to the malicious domain which in turn infects their workstation.

The same gang is also using 0-day exploits for Flash Player, and is apparently able to change their malware on the fly to exploit the most recent vulnerabilities. Fessleak drops a temp file via Flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid Antivirus detection.

Sjouwerman makes a few recommendations to mitigate this type of attack:

1) Backup, backup, backup and take a weekly copy of your backup off-site.

2) Keep your attack surface as small as possible and religiously patch the OS and third party apps as soon as possible. Visit http://www.Secunia.com site for some additional help.

3) Run a UTM and/or a good Proxy, block centrally rather than machine by machine. If that's not possible, install AdBlocker plugins for each browser.

4) It is increasingly clear that effective security awareness training is a must these days. Once a year training for compliance does not cut it anymore. End-users need to be on their toes with security top of mind. Kevin Mitnick security awareness training combined with frequent simulated phishing attacks drops the employee Phish-prone percentage in 12 months from about 16 percent down to just over 1 percent.”

For more information, visit http://www.knowbe4.com/

About Stu Sjouwerman and KnowBe

Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training (employee security education and behavior management) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.

About Kevin Mitnick

Kevin Mitnick is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecommunications devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and speaker, and has authoreIn cd three books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC.


Related News

Author of ‘Locker’ Crypto Ransomware Decrypts All Infected Files and Apologizes

On May 30, the author of thecrypto-ransomware known as Locker posted an apology on Pastebin and claimed that he “never intended to release” the malware program. According to Threatpost.com, the author says he terminated distribution as of June 2 and that he has decrypted all infected files. The author said on Pastebin: Security firm KnowBe4 explains Locker ransomware is a “sleeper campaign” that is installed through a social engineering attack and then sits silently on computers and encrypts files upon the activation of the malware creator. " I am the author of the Locker ransomware and....

Bitcoin Ransomware Now Spreading via Spam Campaigns

Security firms McAfee Labs and Symantec have issued warnings that a type of bitcoin-demanding ransomware, CTB-Locker, is now being propagated through spam campaigns. The malware, the name of which stands for 'Curve Tor Bitcoin Locker', was first identified last year. However, the spam distribution approach appears to be a relatively new development. McAfee published its latest advisory last week, describing CTB-Locker as a form of ransomware that encrypts files on the target computer. Anecdotal evidence suggests .jpg image files are a frequent target. The victim then has to pay a ransom to....

2016 Big Year for Ransomware – 70% Pays in This $1 Billion Industry

Up to this point, there have been two main reasons people decide to use bitcoin— either for censorship-resistant payments or as a store of value. However, in 2016, a new application for the use of Bitcoin as a censorship-resistant payment system, ransomware, experienced immense growth. According to some industry watchers the core issue with ransomware....

Bitcoin Ransomware Attacks Launched through News Sites

Leading news sites were recently used to launch a bitcoin ransomware attack on unsuspecting readers. Ransomware has become the malware of the season. Other malware, viruses and trojans are things of the past. Cyber criminals seem to find bitcoin ransomware more profitable than other malicious software. The number of bitcoin ransomware attacks stands evidence to it. Bitcoin ransomware is a malware that encrypts all the files and folder on any computer it infects. Once the data is encrypted, it will show a message demanding the infected user to pay a certain amount in bitcoin to a wallet....

Malware Alert! Increasing Threats Put Bitcoin Users in Danger

The Bitcoin community now has more worrying things on its plate. As if hacking incidents plaguing cryptocurrency exchanges aren’t enough, the number of malware and ransomware threats on the rise. In the past couple of weeks, a number of new malicious programs were detected by multiple cyber security firms. One look at the list is enough to know that no device is currently safe. Windows Ransomware. A new ransomware called Fantom is wreaking havoc among Windows machine users. The malware cleverly disguises itself as an official update from Microsoft, tricking users into installing it.....