Ransomware threat landscape evolving

Recent discoveries from multiple security companies demonstrate that the ransomware threat landscape is rapidly evolving to incorporate new tactics and propagation methods.

Trend Micro last week announced it has uncovered a new variant of crypto-ransomware capable of preventing operating systems from even loading.

Unlike conventional ransomware, which encrypts files and holds them hostage demanding payment for a decryption key, the Petya crypto-ransomware variant has the ability to overwrite an affected system’s master boot record.

This has the outcome of locking users out of their computers, with start-up resulting in a blue screen of death. A ransom message demanding payment in the form of bitcoins is then displayed at system start-up.

Petya is delivered to victims via the cloud storage service Dropbox, marking the first time in a long time that crypto-ransomware has been spread via a legitimate service, Trend Micro said. Users are first sent an email tailored to look and read like a job application, with a link to a Dropbox location that houses a self-extracting executable disguised as a résumé.

The executable installs a Trojan onto a compromised system, which is then designed to blind any antivirus programs installed and then download and execute Petya.

Dropbox has removed the malicious files hosted on their service and issued a statement indicating that the company has put procedures in place to proactively shut down similar rogue activity as soon as it happens.

Carbon Black separately warned it has discovered a new family of ransomware targeting organisations via Microsoft Word and PowerShell, the scripting language used in Microsoft operating systems.

The PowerWare ransomware uses PowerShell and other native tools to attempt to avoid writing new files to disk to help better avoid detection and blend in with legitimate computer activity.

PowerWare is delivered via a macro-enabled Microsoft Word document that uses macros to spawn the command prompt, which in turn calls PowerShell with options to download and run the malicious PowerWare code.

The ransomware itself encrypts hundreds of file name extensions, from documents to picture files to zip files and disk images. It initially demands a US$500 ($660) ransom, rising to US$1000 after two weeks.

To protect against the attack, Carbon Black recommends using security software to block cmd.exe from executing when launched by Word and other Office applications.

Finally, while not specific to ransomware, Symantec researchers have revealed they have recently observed various malware families in the wild that use multiple digital certificates to evade detection.

While attacks have historically focused on using stolen valid certificates based on the Secure Hash Algorithm 1 (SHA-1) standard, as businesses have started moving to the more robust SHA-2, attackers have started following suit.

Microsoft discontinued support for files digitally signed using SHA-1 in certain circumstances starting at the beginning of this year. These restrictions are causing malware authors to move away from SHA-1 and figure out new ways to exploit SHA-2 certificates.

Symantec’s report details the example of Carberp, a Trojan that has been modified to use two stolen digital certificates, one using SHA-1 while the other uses SHA-2.

A benefit of using multiple certificates for attackers is that files maintain a signed state even after one of the signatures has been revoked. If the primary SHA-1 certificate is revoked, the SHA-2 certificate serves as a backup.

“With two digital certificates, attackers stand an even better chance of accomplishing their goals,” the company said in a blog post.

“The attacks with Carberp also point to a shift towards using digital certificates with SHA2. While the move from SHA1 to SHA2 may not be instant because legacy systems do not support the newer algorithm, these attacks do indicate that change is on the way.”

Image courtesy of Yuri Samoilov under CC