Posts Tagged: ransomware


29
Nov 16

San Francisco Rail System Hacker Hacked

The San Francisco Municipal Transportation Agency (SFMTA) was hit with a ransomware attack on Friday, causing fare station terminals to carry the message, “You are Hacked. ALL Data Encrypted.” Turns out, the miscreant behind this extortion attempt got hacked himself this past weekend, revealing details about other victims as well as tantalizing clues about his identity and location.

A copy of the ransom message left behind by the "Mamba" ransomware.

A copy of the ransom message left behind by the “Mamba” ransomware.

On Friday, The San Francisco Examiner reported that riders of SFMTA’s Municipal Rail or “Muni” system were greeted with handmade “Out of Service” and “Metro Free” signs on station ticket machines. The computer terminals at all Muni locations carried the “hacked” message: “Contact for key (cryptom27@yandex.com),” the message read.

The hacker in control of that email account said he had compromised thousands of computers at the SFMTA, scrambling the files on those systems with strong encryption. The files encrypted by his ransomware, he said, could only be decrypted with a special digital key, and that key would cost 100 Bitcoins, or approximately USD $73,000.

On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same cryptom27@yandex.com inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password. A screen shot of the user profile page for cryptom27@yandex.com shows that it was tied to a backup email address, cryptom2016@yandex.com, which also was protected by the same secret question and answer.

Copies of messages shared with this author from those inboxes indicate that on Friday evening, Nov. 25, the attacker sent a message to SFMTA infrastructure manager Sean Cunningham with the following demand (the entirety of which has been trimmed for space reasons), signed with the pseudonym “Andy Saolis.”

“if You are Responsible in MUNI-RAILWAY !

All Your Computer’s/Server’s in MUNI-RAILWAY Domain Encrypted By AES 2048Bit!

We have 2000 Decryption Key !

Send 100BTC to My Bitcoin Wallet , then We Send you Decryption key For Your All Server’s HDD!!”

One hundred Bitcoins may seem like a lot, but it’s apparently not far from a usual payday for this attacker. On Nov. 20, hacked emails show that he successfully extorted 63 bitcoins (~$45,000) from a U.S.-based manufacturing firm.

The attacker appears to be in the habit of switching Bitcoin wallets randomly every few days or weeks. “For security reasons” he explained to some victims who took several days to decide whether to pay the ransom they’d been demanded. A review of more than a dozen Bitcoin wallets this criminal has used since August indicates that he has successfully extorted at least $140,000 in Bitcoin from victim organizations.

That is almost certainly a conservative estimate of his overall earnings these past few months: My source said he was unable to hack another Yandex inbox used by this attacker between August and October 2016, “w889901665@yandex.com,” and that this email address is tied to many search results for tech help forum postings from people victimized by a strain of ransomware known as Mamba and HDD Cryptor.

Copies of messages shared with this author answer many questions raised by news media coverage of this attack, such as whether the SFMTA was targeted. In short: No. Here’s why.

Messages sent to the attacker’s cryptom2016@yandex.com account show a financial relationship with at least two different hosting providers. The credentials needed to manage one of those servers were also included in the attacker’s inbox in plain text, and my source shared multiple files from that server.

KrebsOnSecurity sought assistance from several security experts in making sense of the data shared by my source. Alex Holden, chief information security officer at Hold Security Inc, said the attack server appears to have been used as a staging ground to compromise new systems, and was equipped with several open-source tools to help find and infect new victims.

“It appears our attacker has been using a number of tools which enabled the scanning of large portions of the Internet and several specific targets for vulnerabilities,” Holden said. “The most common vulnerability used ‘weblogic unserialize exploit’ and especially targeted Oracle Corp. server products, including Primavera project portfolio management software.”

According to a review of email messages from the Cryptom27 accounts shared by my source, the attacker routinely offered to help victims secure their systems from other hackers for a small number of extra Bitcoins. In one case, a victim that had just forked over a 20 Bitcoin ransom seemed all too eager to pay more for tips on how to plug the security holes that got him hacked. In return, the hacker pasted a link to a Web server, and urged the victim to install a critical security patch for the company’s Java applications.

“Read this and install patch before you connect your server to internet again,” the attacker wrote, linking to this advisory that Oracle issued for a security hole that it plugged in November 2015.

In many cases, the extortionist told victims their data would be gone forever if they didn’t pay the ransom in 48 hours or less. In other instances, he threatens to increase the ransom demand with each passing day. Continue reading →


15
Sep 16

Ransomware Getting More Targeted, Expensive

I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined. He said the folks in finance didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.

This anecdote has haunted me because it speaks volumes about what we can likely expect in the very near future from ransomware — malicious software that scrambles all files on an infected computer with strong encryption, and then requires payment from the victim to recover them.

Image: Kaspersky Lab

What we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.

In an alert published today, the U.S. Federal Bureau of Investigation (FBI) warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) to identify and target hosts, thereby multiplying the number of potential infected servers and devices on a network.

“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “Additionally, recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”

According to the FBI, this recent technique of targeting host servers and systems “could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”

fbipsi-ransom

Today there are dozens of ransomware strains, most of which are sold on underground forums as crimeware packages — with new families emerging regularly. These kits typically include a point-and-click software interface for selecting various options that the ransom installer may employ, as well as instructions that tell the malware where to direct the victim to pay the ransom. Some kits even bundle the HTML code needed to set up the Web site that users will need to visit to pay and recover their files.

To some degree, a variance in ransom demands based on the victim’s perceived relative wealth is already at work. Lawrence Abrams, owner of the tech-help site BleepingComputer, said his analysis of multiple ransomware kits and control channels that were compromised by security professionals indicate that these kits usually include default suggested ransom amounts that vary depending on the geographic location of the victim.

“People behind these scams seem to be setting different rates for different countries,” Abrams said. “Victims in the U.S. generally pay more than people in, say, Spain. There was one [kit] we looked at recently that showed while victims in the U.S. were charged $200 in Bitcoin, victims in Italy were asked for just $20 worth of Bitcoin by default.”

In early 2016, a new ransomware variant dubbed “Samsam” (PDF) was observed targeting businesses running outdated versions of Red Hat‘s JBoss enterprise products. When companies were hacked and infected with Samsam, Abrams said, they received custom ransom notes with varying ransom demands.

“When these companies were hacked, they each got custom notes with very different ransom demands that were much higher than the usual amount,” Abrams said. “These were very targeted.”

Which brings up the other coming shift with ransomware: More targeted ransom attacks. For the time being, most ransomware incursions are instead the result of opportunistic malware infections. The first common distribution method is spamming the ransomware installer out to millions of email addresses, disguising it as a legitimate file such as an invoice.

More well-heeled attackers may instead or also choose to spread ransomware using “exploit kits,” a separate crimeware-as-a-service product that is stitched into hacked or malicious Web sites and lying in wait for someone to visit with a browser that is not up to date with the latest security patches (either for the browser itself or for a myriad of browser plugins like Adobe Flash or Adobe Reader).

But Abrams said that’s bound to change, and that the more targeted attacks are likely to come from individual hackers who can’t afford to spend thousands of dollars a month renting exploit kits.

“If you throw your malware into a good exploit kit, you can achieve a fairly wide distribution of it in a short amount of time,” Abrams said. “The only problem is the good kits are very expensive and can cost upwards of $4,000 per month. Right now, most of these guys are just throwing the ransomware up in the air and wherever it lands is who they’re targeting. But that’s going to change, and these guys are going to start more aggressively targeting really data intensive organizations like medical practices and law and architectural firms.”

Earlier this year, experts began noticing that ransomware purveyors appeared to be targeting hospitals — organizations that are extremely data-intensive and heavily reliant on instant access to patient records. Indeed, the above-mentioned SamSAM ransomware family is thought to be targeting healthcare firms.

According to a new report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016. Continue reading →


14
Jan 16

Ransomware a Threat to Cloud Services, Too

Ransomware — malicious software that encrypts the victim’s files and holds them hostage unless and until the victim pays a ransom in Bitcoin — has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services.

ransomhandToni Casala found this out the hard way. Casala’s firm — Children in Film — works as an advocate for young actors and their families. The company’s entire operations run off of application hosting services at a managed cloud solutions firm in California, from QuickBooks to Microsoft Office and Outlook. Employees use Citrix to connect to the cloud, and the hosting firm’s application maps the cloud drive as a local disk on the user’s hard drive.

“We were loving that situation,” Casala said. “We can keep the computers here at work empty, and the service is very inexpensive when you compare it the cost of having more IT people on staff. Also, when we need support, they are very responsive. We don’t get farmed out to some call center in India.”

They were loving it, that is, until just before New Year’s Eve, when an employee opened an email attachment that appeared to be an invoice. Thirty minutes later, nobody in Casala’s firm could access any of the company’s 4,000+ files stored on the cloud drive.

“Someone in my office was logged into Outlook and opened up invoice attachment and BAM!, within 30 minutes, every single file on our Q drive had ‘vvv’ added as file extensions,” she said. Every single folder -had a file that said “help.decrypt,” essentially the attacker’s’ instructions for how to pay the ransom.

The cloud provider that Casala’s company is using was keeping daily backups, but she said it still took them almost a week to fully restore all of the files that were held hostage. She said the hosting service told her that the malware also disrupted operations for other customers on the same server.

Casala said her company got lucky on several fronts. For starters, the infection happened right before her firm closed down operations for the New Year’s break, so the outage was less of a disruption than it might normally have been.

More importantly, the malware that scrambled their files — a strain of ransomware called TeslaCrypt, contained a coding weakness that has allowed security and antivirus firms to help victims decrypt the files without paying the ransom. Users over at the computer help forum BleepingComputer have created TeslaDecoder, which allows victims to decrypt files locked by TeslaCrypt.

Casala said the hosting firm had antivirus installed on the server, but that the ransomware slipped past those defenses. That’s because the crooks who are distributing ransomware engineer the malware to evade detection by antivirus software. For more on how cybercriminals achieve that, see Antivirus is Dead: Long Live Antivirus.

The best defense against ransomware is a good set of data backups that are made each day — preferably to a device that is not always connected to the network. Unfortunately, this is often easier said than done, especially for small businesses. For many ransomware victims who do not have backups to rely upon, the choice of whether to pay comes down to the question of how badly the victim needs access to the ransomed files, and whether the files lost are worth more than the ransom demand (which is usually only a few hundred dollars in Bitcoin). Continue reading →


6
Nov 13

CryptoLocker Crew Ratchets Up the Ransom

Last week’s article about how to prevent CryptoLocker ransomware attacks generated quite a bit of feedback and lots of questions from readers. For some answers — and since the malware itself has morphed significantly in just a few day’s time — I turned to Lawrence Abrams and his online help forum BleepingComputer.com, which have been following and warning about this scourge for several months.

This message is left by CryptoLocker for victims whose antivirus software removed the file needed to pay the ransom.

This message is left by CryptoLocker for victims whose antivirus software removes the file needed to pay the ransom.

To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment via Bitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backwards from 72 hours. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.

Or, at least, that’s how it worked up until a few days ago, when the crooks behind this scam began easing their own rules a bit to accommodate victims who were apparently willing to pay up but simply couldn’t jump through all the hoops necessary in the time allotted.

“They realized they’ve been leaving money on the table,” Abrams said. “They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back.”

Part of the problem, according to Abrams, is that few victims even know about Bitcoins or MoneyPak, let alone how to obtain or use these payment mechanisms.

“We put up survey and asked how many [victims] had paid the ransom with Bitcoins, and almost no one said they did, Abrams said. “Most paid with MoneyPak. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.”

Another major stumbling block that prevents many otherwise willing victims from paying the ransom is, ironically, antivirus software that detects CryptoLocker — but only after the malware has locked the victim’s most prized files with virtually uncrackable encryption.

“Originally, when antivirus software would clean a computer, it would remove the CryptoLocker infection, which made it so the user could not pay the ransom,” Abrams said. “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”

The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation. Abrams that said his testing has shown that as long as the registry key “HKCU\Software\Cryptolocker_0388″ remains in the Windows registry, re-downloading the malware would not try to re-encrypt the already encrypted data — although it would encrypt any new files added since the initial infection.

“Some antivirus companies have been telling victims not to pay the ransom,” Abrams said. “On the one hand, I get it, because you don’t want to encourage these malware writers. But on the other hand, there are some companies that are facing going out of business if they don’t, and can’t afford to take the holier-that-thou route.”

CRYPTOLOCKER DECRYPTION SERVICE

On Friday, Nov. 1, the crooks behind this malware campaign launched a “customer service” feature that they have been promising to debut for weeks: a CryptoLocker Decryption Service. “This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.

“They’re calling it an ‘order,’ as if victims posted an order at Amazon.com,” Abrams said.

The "Cryptolocker Decryption Service."

The “Cryptolocker Decryption Service.”

“If you already purchased private key using CryptoLocker, then you can download private key and decrypter for free,” explains the service, which is currently hosted at one of several addresses on the Tor anonymity network. The decryption service site is not reachable from the regular Internet; rather, victims must first download and install special software to access the site — yet another potential hurdle for victims to jump through.

According to Abrams, victims who are still within the initial 72-hour countdown clock can pay the ransom by coughing up two Bitcoins — or roughly $200 using a MoneyPak order. Victims who cannot pay within 72 hours can still get their files back, but for that unfortunate lot the ransom rises fivefold to 10 bitcoins — or roughly USD $2,232 at current exchange rates. And those victims will no longer have the option to pay the ransom via MoneyPak.

Abrams said the service exposes two lies that the attackers have been perpetuating about their scheme. For starters, the bad guys have tried to dissuade victims from rolling back their system clocks to buy themselves more time to get the money together and pay the ransom. According to Abrams, this actually works in many cases to delay the countdown timer. Secondly, the launch of the Cryptolocker Decryption Service belies the claim that private keys needed to unlock files encrypted by CryptoLocker are deleted forever from the attacker’s servers after 72 hours.

Continue reading →


8
Jul 13

Styx Exploit Pack: Domo Arigato, PC Roboto

Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code  — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”

Styx Pack victims, by browser and OS version.

Styx Pack victims, by browser and OS version.

Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to paying customers.

Styx customers might expect such niceties for the $3,000 price tag that accompanies this kit. A source with access to one Styx kit exploit panel that was apparently licensed by a team of bad guys shared a glimpse into their operations and the workings of this relatively slick crimeware offering.

The Styx panel I examined is set up for use by a dozen separate user accounts, each of which appears to be leveraging the pack to load malware components that target different moneymaking schemes. The account named “admin,” for example, is spreading an executable file that tries to install the Reveton ransomware.

Other user accounts appear to be targeting victims in specific countries. For example, the user accounts “IT” and “IT2” are pushing variants of the ZeuS banking trojan, and according to this Styx panel’s statistics page, Italy was by far the largest source of traffic to the malicious domains used by these two accounts. Additional apparently country-focused accounts included “NL,” AUSS,” and “Adultamer” (“amer” is a derisive Russian slur used to describe Americans).

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

An exploit kit — also called an “exploit pack” (Styx is marketed as “Styx Pack”) is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed.

Unlike other kits, Styx doesn’t give a detailed breakdown of the exploits used in the panel. Rather, the panel I looked at referred to its bundled exploits by simple two-digit numbers. This particular Styx installation used just four browser exploits, all but one of which targets recent vulnerabilities in Java. The kit referred to each exploit merely by the numbers 11, 12, 13 and 32.

According to the considerable legwork done by Kafeine, a security blogger who digs deeply into exploit kit activity, Styx Kit exploit #11 is likely to be CVE-2013-1493, a critical flaw in a Java browser plugin that Java maker Oracle fixed with an emergency patch in March 2013. Exploit 12 is almost certainly CVE-2013-2423, another critical Java bug that Oracle patched in April 2013. In an instant message chat, Kafeine says exploit #13 is probably CVE-2013-0422, a critical Java vulnerability that was patched in January 2013. The final exploit used by the kit I examined, number 32, maps to CVE-2011-3402, the same Microsoft Windows font flaw exploited by the Duqu Trojan.

The Styx stats page reports that the hacked and malicious sites used by this kit have been able to infect roughly one out of every 10 users who visited the sites. This particular Styx installation was set up on June 24, 2013, and since that time it has infected approximately 13,300 Windows PCs — all via just those  four vulnerabilities (but mostly the Java bugs).

Continue reading →


3
Jun 13

Cashout Service for Ransomware Scammers

There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware — malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes.

Ransonware scam spoofing the DHS to obtain Moneypak/unlock codes. Source: botnets.fr

Ransomware is most often distributed via hacked or malicious sites that exploit browser vulnerabilities.  Typically, these scams impersonate the Department of Homeland Security or the FBI (or the equivalent federal investigative authority in the victim’s country) and try to frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content.

Ransomware locks the victim’s PC until he either pays the ransom or finds a way to remove the malware. Victims are instructed to pay the ransom by purchasing a prepaid MoneyPak card, sold at everything from Walgreens to Wal-Mart (some scams tell victims to pay using a PaySafe or Ukash card). Victims are then told to send the attackers a 14-digit voucher code that allows the bad guys to redeem those MoneyPak vouchers for cash.

Trouble is, taking funds off of a MoneyPak requires either spending it at stores that accept it, or hooking it up to a U.S. bank account, to PayPal, or to a prepaid Visa or Mastercard. What’s more, most miscreants who are even halfway competent at spreading ransomware can expect to collect dozens of MoneyPak codes per day, so cashing out via the above-mentioned methods simply does not scale well for successful bad guys (particularly those who live outside of the United States).

Last week, I stumbled on a ransomware cashout service hosted in Minsk, Belarus that helps simplify the process. It checks the balances of MoneyPak codes by abusing a feature built into betamerica.com, a legitimate and legal site where gamblers can go to bet on dog and horse races in the United States.  Specifically, the ransomware cashout service queries a page at betamerica.com that lets customers fund their betting accounts using MoneyPak.

I reached out to Betamerica.com’s operations team and spoke with a woman who would only give her name as “Leslie.” Leslie said the company had already flagged the account that was being used to check the MoneyPak voucher codes.

“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” she said, explaining that this status prevents customer accounts from placing bets on races. Leslie said Betamerica scrutinizes the Moneypak activity because fraudsters have tried to use the codes to launder money.

“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”

When I first encountered this ransomware cashout service and discovered the connection to Betamerica, I was sure the miscreants were trying to launder money through the betting site. But after my conversation with Leslie, the true scope of this ransomware operation began to come into focus. It appears to involve the cooperation of several sets of actors:

MoneyPak cashout scheme.

Scheme to cash out $300 MoneyPak vouchers obtained from ransomware victims.

Continue reading →


7
Jan 13

Crimeware Author Funds Exploit Buying Spree

The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.

Cool Exploit Kit.

Cool Exploit Kit.

An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed. In early October  2012, security researchers began noticing that a new exploit pack called Cool Exploit Kit was showing up repeatedly in attacks from “ransomware,” malicious software that holds PCs hostage in a bid to extract money from users.

Kafeine,” a French researcher and blogger who has been tracking the ties between ransomware gangs and exploit kits, detailed Cool’s novel use of a critical vulnerability in Windows (CVE-2011-3402) that was first discovered earlier in the year in the Duqu computer worm. Duqu is thought to be related to Stuxnet, a sophisticated cyber weapon that experts believe was designed to sabotage Iran’s nuclear program.

About a week after Kafeine highlighted the Duqu exploit’s use in Cool, the same exploit showed up in Blackhole. As Kafeine documented in another blog post, he witnessed the same thing happen in mid-November after he wrote about a never-before-seen exploit developed for a Java vulnerability (CVE-2012-5076) that Oracle patched in October. Kafeine said this pattern prompted him to guess that Blackhole and Cool were the work of the same author or malware team.

“It seems that as soon as it is publicly known [that Cool Exploit Kit] is using a new exploit, that exploit shows up in Blackhole,” Kafeine said in an interview with KrebsOnSecurity.

As detailed in an excellent analysis by security firm Sophos, Blackhole is typically rented to miscreants who pay for the use of the hosted exploit kit for some period of time. A three-month license to use Blackhole runs $700, while a year-long license costs $1,500. Blackhole customers also can take advantage of a hosting solution provided by the exploit kit’s proprietors, which runs $200 a week or $500 per month.

Blackhole is the brainchild of a crimeware gang run by a miscreant who uses the nickname “Paunch.” Reached via instant message, Paunch acknowledged being responsible for the Cool kit, and said his new exploit framework costs a whopping $10,000 a month.

At first I thought Paunch might be pulling my leg, but that price tag was confirmed in a discussion by members of a very exclusive underground forum. Not long after Kafeine first wrote about Cool Exploit Kit, an associate of Paunch posted a message to a semi-private cybercrime forum, announcing that his team had been given an initial budget of $100,000 to buy unique Web browser exploits, as well as information on unpatched software flaws. Here is a portion of that post, professionally translated from Russian:

Continue reading →


13
Aug 12

Inside a ‘Reveton’ Ransomware Operation

The U.S Federal Bureau of Investigation is warning about an uptick in online extortion scams that impersonate the FBI and frighten people into paying fines to avoid prosecution for supposedly downloading child pornography and pirated content. This post offers an inside look at one malware gang responsible for orchestrating such scams.

Reveton ransomware scam impersonating FBI

Reveton ransomware scam page impersonating the FBI

In an alert published last week, the FBI said that The Internet Crime Complaint Center — a partnership between the FBI and the National White Collar Crime Center — was “getting inundated with complaints” from consumers targeted or victimized by the scam, which uses drive-by downloads to hijack host machines. The downloaded malware displays a threatening message (see image to the right) and blocks the user from doing anything else unless he pays the fine or finds a way to remove the program.

The FBI alert said the attacks have surged with the help of a “new drive-by virus” called Reveton; in fact, Reveton and its ilk are hardly new. These types of attacks have been around for years, but traditionally have targeted European users. The scam pages used in the attacks mimic official notices from various national police or investigatory agencies, corresponding to the country in which the victim resides. For a breakdown of these Reveton-related ransomware scam pages by country, see this comprehensive gallery set up at botnets.fr.

Reveton.A is blamed in these most recent attacks, and the FBI said it appears Reveton is being distributed in conjunction with Citadel, an offshoot of the ZeuS Trojan that I have written about on several occasions. It is certainly possible that crooks are using Citadel to deploy Reveton, but as I’ll illustrate below, it seems more likely that the attackers in these cases are using exploit kits like BlackHole to plant both threats on victim PCs.

INSIDE A REVETON MALWARE GANG

Operations of one Reveton crime group. Source: ‘Kafeine,’ from botnets.fr.

At least that’s the behavior that’s been observed by a ragtag group of researchers that has been tracking Reveton activity for many months. Some of the researchers are associated with botnets.fr, but they’ve asked to remain nameless because of the sensitivity of their work. One of them, who goes by the screen name “Kafeine,” said much of the Reveton activity traces back to a group that is controlling the operation using reverse proxies at dozens of servers scattered across data centers globally (see this PDF for a more detailed look at the image above).

Kafeine said the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations, from the scam pages to solidifying their back-end hosting infrastructure. The latest versions of Reveton, for example, serve the scam pages from an encrypted (https://) connection, and only cough up the pages when an infected machine visits and sends a special request. Continue reading →


17
Oct 11

Software Pirate Cracks Cybercriminal Wares

Make enough friends in the Internet security community and it becomes clear that many of the folks involved in defending computers and networks against malicious hackers got started in security by engaging in online illegal activity of one sort or another. These gradual mindset shifts are sometimes motivated by ethical, karmic or personal safety reasons, but just as often grey- and black hat hackers gravitate toward the defensive side simply because it is more intellectually challenging.

I first encountered 20-year-old French hacker Steven K. a few months ago while working on a series about the fake antivirus industry. I spent several hours reading accounts of his efforts to frustrate and highlight cybercriminal activity, and took time to follow the many links on his blog, XyliBox, a variant of his hacker alias, “Xylitol.” It turns out that Xylitol, currently unemployed and living with his parents, is something of a major player in the software piracy or “warez” scene, which seeks to crack the copy protection technology built into many computer games and commercial software programs.

As a founding member of redcrew.astalavista.ms (this site may be flagged by some antivirus software as malicious), Xylitol spent several years devising and releasing “cracks,” software patches that allow people to use popular commercial software titles without paying for a license. Cracks are frequently bundled with backdoors, Trojans and other nasties, but Xylitol claims his group never tainted its releases; he says this malicious activity is most often carried out by those who re-purpose and redistribute the pristine patches for their own (commercial and criminal) uses.

But about a year ago, Xylitol began shifting his focus to reverse engineering malware creation kits being marketed and sold on underground cybercrime forums. In October 2010, he began releasing cracked copies of the the bot builder for the SpyEye Trojan, a crimeware kit that sells for several thousand dollars. Each time the SpyEye author released an update, Xylitol would crack it and re-release a free version. This continued for at least a dozen updates in the past year.

The cracked SpyEye releases have been met with a mix of praise and scorn from the security industry; the free releases no doubt frustrated the moneymaking capabilities of the SpyEye author, but they also led to the public distribution of a malware kit that had previously been much harder to come by.

In an instant message chat, Xylitol said he still cracks the occasional commercial software title, just for old time’s sake.

“Sometimes for the old memories, but I’m more into malware cracking now,” he wrote. “It’s more fun.”

Since Nov. 2010, Xylitol and some of his associates have been locked in a daily battle with Russian scareware and ransomware gangs. Scareware programs hijack PCs with incessant and misleading security warnings in a bid to frighten users into paying for the worthless software. Paying customers are given a license key eliminates the annoying security warnings. Ransomware is even more devious: It encrypts the victim’s personal files — pictures, documents, movies and music files — with a custom encryption key. Victims who want their files back usually have little recourse but to pay a fee via text message to receive a code that unlocks the encrypted files.

Xylitol and his pals have been busy over the past year cracking and publishing the license keys needed to free computers snared by scareware and ransomware. For months, these guys have been taking on a Russian ransomeware group called the WinAd gang, releasing the ransomware codes on a daily basis, often just hours after the WinAd gang began pushing out new ransomware variants.

Continue reading →