{"id":14419,"date":"2019-01-25T11:10:15","date_gmt":"2019-01-25T19:10:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/01\/25\/news-8171\/"},"modified":"2019-01-25T11:10:15","modified_gmt":"2019-01-25T19:10:15","slug":"news-8171","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/01\/25\/news-8171\/","title":{"rendered":"Sly criminals package ransomware with malicious ransom note"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Fri, 25 Jan 2019 18:00:00 +0000<\/strong><\/p>\n

Ransomware continues to show signs of evolution. From a simple screen locker to a highly-sophisticated data locker, ransomware has now become a mainstream name, even if (historically), it has been around far longer than we want to look back<\/a>.<\/p>\n

Although the criminals behind ransomware campaigns are observed to be refining their approaches\u2014from the \u201cspray and pray\u201d tactic to something akin to wide beam laser precision\u2014they are also fine-tuning their targets. They can single out organizations, companies, and industries; and they can also hold cities<\/a> and towns<\/a> for ransom.<\/p>\n

Ransomware has also stepped up in sophistication. Criminals have begun introducing certain forms of hybridization in their attacks, either the ransomware file itself is given capabilities outside of its type (e.g., VirRansom<\/a> and Zcrypt<\/a>\u00a0variants that can infect files) or the entire campaign involves one or more threat vectors.<\/p>\n

The latest in-the-wild ransomware strain discovered<\/a> by a group of security researchers known as MalwareHunterTeam<\/a> (MHT, for short) fits the latter.<\/p>\n

Ransomware + phishing: a match made in heaven?<\/h3>\n

Nothing much is known about this ransomware\u2014which some are already dubbing as CryTekk\u2014apart from the way it applies a wily social engineering tactic to its ransom note, potentially to ensure a near 100 percent of affected parties acting on the infection and paying the ransom. The lure? An additional payment option for affected users who want to retrieve their files but don\u2019t have a cryptocurrency wallet.<\/p>\n

\"\"<\/p>\n

The ransom note. (Courtesy of MalwareHunterTeam)<\/p>\n<\/div>\n

Transcription:<\/p>\n

\n

YOUR FILES HAVE BEEN ENCRYPTED!<\/em><\/p>\n

Dear victim:<\/em><\/p>\n

Files have been encrypted! And Your computer has been limited!<\/em><\/p>\n

To unlock your PC you must pay with one of the payment methods provided, we regularly check your activity of your screen and to see if you have paid. Paypal automatically sends us a notification once you\u2019ve paid, But if it doesn\u2019t unlock your PC upon payment contact us (CryTekk@protonmail.com)<\/em><\/p>\n

\u00a0Reference Number: CT-{redacted}<\/em><\/p>\n

When you pay via BTC, send us an email following your REF Number if your PC doesn\u2019t unencrypt. Once you pay, Your PC will de decrypted. However if you don\u2019t within 14 days we will continue to infect your PC and extract all your data and use it.<\/em><\/p>\n

Google \u2018how to buy\/pay with bitcoin\u2019 if you don\u2019t know how. To pay by bitcoin: send $40 to your unique bitcoin address.<\/em><\/p>\n

34ieoNtVEUpcWeVbuxUWXoyANEBBy22TUb<\/em><\/p>\n<\/blockquote>\n

Clicking the yellow \u201cBuy now\u201d button in the small PayPal option box opens a browser tab to direct users to a phishing page asking for card details:<\/p>\n

\"\"<\/p>\n

The first PayPal phishing page asking for card deets. (Courtesy of MalwareHunterTeam)<\/p>\n<\/div>\n

After supplying the information wanted and clicking the \u201cAgree and Confirm\u201d button, users are then directed to another phishing page asking for personal information, which they need to fill in to \u201cconfirm\u201d their identities:<\/p>\n

\"\"<\/p>\n

The second PayPal phishing page asking for personally identifiable information (PII). (Courtesy of MalwareHunterTeam)<\/p>\n<\/div>\n

After filling in all information, clicking the \u201cAgree and Confirm\u201d button points users to a fake confirmation that the user\u2019s account access is fully restored, which is odd because, as far as the user knows, they were paying the ransom, not addressing a problem about their PayPal accounts. Now, if the user hadn\u2019t already realized that they had been duped twice, at this point they might.<\/p>\n

\"\"<\/p>\n

The fake \u201cconfirmation\u201d page. (Courtesy of MalwareHunterTeam)<\/p>\n<\/div>\n

Finally, clicking the \u201cMy PayPal\u201d button directs users to the legitimate PayPal login page.<\/p>\n

Fool me once, shame on me. Fool me twice\u2026<\/h3>\n

While ransomware is not as rampant today compared to two years ago, it remains a top threat to consumers and businesses alike. It wouldn’t surprise us at all if the real intent of the criminals behind this campaign is to bank on people\u2019s fear of ransomware to go after their money and credentials.<\/p>\n

Files encrypted by this ransomware can be decrypted, as confirmed<\/a> by MHT\u2019s own Michael Gillespie in a tweet. In fact, within two hours after the initial MHT tweet, Gillespie already offered to decrypt files for possible victims. This confirms what Bleeping Computer stated about the ransomware code being \u201cnothing special.\u201d This also suggests that the criminals put greater effort into the phishing side of the campaign than to the ransomware itself.<\/p>\n

Since most, if not all, ransomware attacks ask for cryptocurrency payment, this attack differentiates itself by offering victims an alternative pay first before presenting the Bitcoin payment option. This leads us to speculate that, although they didn\u2019t say it outright, PayPal is their preferred payment method. Also, $40 in Bitcoin in exchange for decrypting files? That\u2019s cheap compared to the amount criminals will be getting from victims once they access their accounts using the swiped credentials.<\/p>\n

Regardless of whether we see this as a sophisticated ransomware campaign or a \u201creally dope\u201d attempt at phishing, one thing is clear: They are after your money and<\/em> credentials, so it pays to know when you\u2019re being phished<\/a>.<\/p>\n

It can be frightening to find oneself face-to-face with a ransomware infection, but let us remain calm and keep our heads together. Remember that criminals want us to feel vulnerable<\/a>, so be and do the opposite. Scrutinize URLs carefully before you enter your credentials or PII. If you feel that something is amiss, follow your gut and don\u2019t proceed any further. If you think you\u2019re stuck and don\u2019t know what to do next, don\u2019t be afraid to ask for help from someone online or in-person who is savvy enough to guide you.<\/p>\n

Stay safe out there!<\/p>\n

The post Sly criminals package ransomware with malicious ransom note<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Fri, 25 Jan 2019 18:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Ransomware is not dead. It\u2019s changing\u2014and we need to be ready for them.<\/p>\n

Categories: <\/p>\n