New Ransomware Campaign Illustrates The Way Attacks Are Tailored

A huge number of ransomware attacks have been registered this week. According to Chester Wisnewski, a senior advisor Sophos Inc, the hackers are now using a phony Bank of Montreal template to lure victims into clicking on a malicious attachment.

Wisnewski knows this because he received one of these messages in his email as he was heading to the security vendor’s annual partners conference in Las Vegas this week.

Literally as I got on the plane I got what looked like a BMO phish, and in fact it was ransomware,” Wisnewski said in an interview. “It was amazing how well crafted it was because the Web site booby-trapped with the exploit is literally a carbon copy of the BMO online login landing page.”

Besides, Wisnewski recently received a phony message purporting to be from Quebec Internet and cable provider Videotron.

This example illustrates a growing trend of hackers targeting and also filtering out specific countries when creating ransomware and other malicious cyberattacks.

Considering the information collected by Sophos, endpoints, firewalls and gateways, the cyber criminals are now creating customized spam to carry threats using regional vernacular, counterfeit logos, and impersonating tax and law enforcement agencies. The tricks include phony shipping notices, refunds, electricity bills and speeding tickets.

Presently, a phony home repair invoicing campaign is going on in the U.K. The campaign inserts recipients’ street addresses to convince people the messages are real.

Like the tailored BMO message he received, Wisnewski explains, criminals likely assembled information from one or more data breaches to tailor attacks at certain countries. This is the reason why BMO spam is going to Canada, not Germany.

You have to look harder to spot fake emails from real ones,” Wisnewski stated. “There’s not a lot of good answers to that problem,” he admits. “It’s not like we can tell people, ‘Stop opening email and clicking links. I’ve been telling people that for 15 years but nobody’s listening. So we have to find better technological solutions from getting us in trouble from these more socialized lures.”

According to Wisnewski, patching and updates are crucial. For example, the latest versions of Microsoft Office are better at stopping document malware – for example, giving admins the ability to disable macros in documents that came from the Internet. Similarly Windows 10 is more secure that Win 7, he said. Using a sandbox and Web filtering are also useful.

Also, the report stated that security researchers have found different ransomware strains target specific locations. For instance, versions of CryptoWall predominantly hit victims in the U.S., U.K., Canada, Australia, Germany and France.

TorrentLocker has attacked primarily the U.K., Italy, Australia and Spain, while TeslaCrypt honed in on the U.K., U.S., Canada, Singapore and Thailand.

According to Sophos, its customer data shows that while Western countries are highly targeted for malware, less developed countries show higher attacks or infections. For instance, nations with what Sophos calls a high threat exposure rate (infections/attackers per 1,000 Sophos endpoints) include Algeria (30.7%), Boliva (20.3%), Pakistan (19.9%) and China (18.5%) and India. Nations ranked with the lowest TER include France at 5.2%, Canada at 4.6%, Australia, and the U.K.

Wisnewski suspects that computer users in countries with the higher TER don’t update or patch their systems as often as those in other countries.

Apart from the above-mentioned, Sophos released a report on Microsoft Office exploits found in Q4 2015, which stated that – again – CVE-2012‐0158, a critical Windows bug which allows remote control execution was responsible for 48% of Office infections. However, the use of the newer CVE‐2015-1641 exploit (15%) is rising up.

In addition, the report says that in many cases the malicious documents contained multiple exploits. The largest used the DL-1 generator (36%), followed by the CVE‐2014‐6352 PowerPoint vulnerability.

The cybercrime groups find Office documents a convenient way to deliver malicious program to their targets,” states the report. “They have been using this method steadily over the past two years and there is no sign that they intend to give up on this method.”

But their approach is evolving over the time: they use several black market tools to generate the exploited documents, and thanks to the development of these tools they get to use newer Office exploits.”

However, they don’t get to use zero days. Even the freshest exploit in their arsenal was fixed six months before the widespread usage started. It shouldn’t be difficult to protect against the activities of this group: Just applying the patches for Microsoft Office could disarm the attack.”

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.