Scientists found a brand new strain of malware named cuteRansomware which launches from a Google Doc to host the decryption key and command-and-control functionality.
The experts from Netskope noticed the new threat when a user with a GitHub account “aaaddress1” had published source code for a ransomware module based on C# called “my-Little-Ransomware”. It appeared that a security researcher at AVG had also detected a malicious modified Chinese version of my-Little-Ransomware and called it “cuteRansomware” due to the mutex name used by the original author.
Despite looking like a basic ransomware, created by modifying the my-Little-Ransomware source code, the use of cloud services like Google Docs may be an alert about hacker intentions to use cloud services in the future. Actually, the cloud services will be abused not only for storing keys but also for their command-and-control (C&C) communications.
“As we know, Google Docs uses HTTPS by default and the network data transmission over SSL can easily bypass traditional security solutions such as a firewall, intrusion prevention system, or next generation firewall,” Netskope stated. “We believe this is critical. As malicious actors make increasing use of the cloud for both delivering malware and exfiltrating data via command-and-control, traditional detection tools’ lack of visibility into SSL becomes a huge benefit to them. Additionally, the inability of traditional tools to look into SSL traffic of unsanctioned apps becomes important.”
Apart from all the above-mentioned, using a popular cloud application like Google Docs shows another challenge. Organizations using Google Docs as a productivity tool are not able to block it outright.
“What makes cuteRansomware interesting is the use of a well-known cloud service provider as the command and control server,” wrote Travis Smith, senior security research engineer at Tripwire. “This instance is using Google Docs to maintain the encryption and decryption keys for each victim. While unique, hosting the keys on Google Docs is a short-term solution. Once Google is notified, it’s likely the form controlling the keys will be taken offline.”
When it comes to piece of ransomware, it’s crucial to follow the best practices.
“This highlights the importance of detecting malware in cloud apps, and not just in the sanctioned ones, but the unsanctioned ones as well,” the Netskope team stated. “It also highlights the importance of anticipating such an attack by identifying where your sensitive content is in the cloud and ensuring that you have backups of those important files.”