>> Web and mobile application stores have long harbored
malware. It’s suspected that the CacheFlow malware, discovered
in December 2020, went undetected for three years, in which
time it was downloaded an estimated three million times,
concealing its data-stealing activities by masquerading as video
downloaders and geo-unblockers. There haven’t been many
documented ransomware attacks directly related to browser
add-ons, but, speaking about the Magnat Chrome extension
malware, Cisco Talos security researcher Tiago Pereira warns
that credentials taken in this way have been “an initial infection
point for larger attacks, including ransomware incidents”.
Magnat may have been lurking in the Chrome Web Store for years
and while the Chrome Store isn’t perfect, it’s riskier to download
add-ons or apps from unofficial sources. So don’t do that.>> Trend Micro, at https://www.trendmicro.com/vinfo/
us/security/news/cybercrime-and-digital-threats/
ransomware-double-extortion-and-beyond-revil-clop-
and-conti show how further extortion stages can be
carried out. Besides encrypting data in the traditional
way and extorting the victim with sensitive, exfiltrated
data, a third level in the form of DDoS attacks, and then
a fourth in the form of direct communications with
customers, senior executives, or other stakeholders,
have all been seen in recent campaigns.
>> Again, a casual desktop Windows user needn’t
worry about these sort of targeted ransomware attacks,
unless they happen to be high-profile, extremely rich, or
have upset someone who is either of those things. These
are the marks extortionists don’t mind burning their
super-secret zero-day vulnerabilities on. There’s all
manner of malware that could strike on though. There’s
also hardware failure, user error and, occasionally, the
Nvidia driver deciding your system doesn’t need to boot.
>> Having good backups is the single best way to
mitigate all of these risks. At the very least, you should
back up your user files, including important documents,
precious photos, and password manager database (yes,
you should be using a password manager). This is dead
easy to automate with Gnome’s Déjà Dup tool, which
easily integrates with various cloud storage options.
>> At a pinch, you can use a remote Nextcloud instance
as an off-site backup, or conversely your local storage
can act as a de facto backup for Nextcloud. But this
method only protects against the failure of one machine.
If you accidentally delete a file, or someone hacks your
Nextcloud, then the damage will be mirrored faster than>> It’s easy to set up simple automated backups with
Déjà Dup, which comes as standard with Ubuntu.Of ten, the people who write the
ransomware are not the people
perpetrating the attacks. They prefer
to keep their hands (and noses) clean.
Indeed, complex attacks often begin
with a broker, sometimes someone
inside the organization selling some
kind of initial access credentials.
Once that’s achieved, the attackers
will, as stealthily as possible, probe
internal networks to find important
data (or further vulnerabilities). The
ransomware itself, far from being
some cobbled-together script written
by a kid, might be provided as a service
(RaaS). It might have a customized
payload or even a dedicated page
where buyers can monitor the damage,
switch payloads or even receive
technical support.
A new RaaS called ALPHV (aka.
BlackCat) was found in December 2021
on underground forums. This seems
to have been the first in-the-wild
example of ransomware written in
Rust. Advertising on the forums (which
we’re sure any of our more determined
readers will manage to find withoutus naming them) promises 80-90
percent of the ransomware payout to
‘pentesters’ wishing to try out their
latest badware.
The first ransomware on Linux we
could find was named Erebus. Like
RansomEXX, it appears to have been
ported from Windows. But in 2017, it
struck the servers (153 of them) of aSouth Korean web hosting company,
taking down over 3,000 websites. Such
was the damage that the company paid
just under 400 BTC, which was then
worth $1 million in Bitcoin, making it
the largest payout at the time. Bitcoin
is worth around 20 times its 2017 value
today so, hopefully, these fraudsters
didn’t get to keep their earnings.THE EVOLUTION OF RANSOMWARE
>> Programmed in Rust, with a nostalgic UI. This is getting silly now.68 MAXIMU MPC MAR 2022
R&D
© MALWAREHUNTERTEAM