Protected with Purpose:
As a security professional, the start of the New Year has traditionally been an ideal time for me to reflect back and provide a detailed recap on the major malware outbreaks, cyberattacks and security stories of the past year. And we had a few biggies this Year: (1) the large-scale DDoS attack in October targeting Dyn, the domain name service company providing service to a majority of the high trafficked websites in the world: CNN, Netflix, PayPal, Twitter, etc. (2) The San Francisco Municipal Transportation Agency system hack that forced the public transport system to allow passengers to ride for free over the Thanksgiving Day weekend. (3) And of course, all the high-profiled ransomware massive attack on the Hollywood Presbyterian Hospital where the largest recorded ransom was paid to cybercriminals (boo!)…
However, despite a significant number of huge (and oftentimes scary) security threats in 2016, I’d like to direct my attention towards yet another new (and creepy) ransomware tactic, as I predict the continued development of this type of attack in the future, and I want you to be prepared.
If you have children maybe you can relate, and if you are still in school, maybe you can relate to this as well. Typically it is part of our daily routine in our household, that when our children come home from a long day at school, we like to go through their backpacks before dinner and discuss the school work, test scores and homework sent home for the day. Last week, while going through our normal process, we happened upon a completely crumpled-up note in my middle child’s backpack. When we straightened the paper out enough so that it was able to be read, we deciphered the following, written in my child’s handwriting, “I drank out of a sippy cup until I was six.” As you can imagine, this struck my wife and I as odd (albeit true), so we inquired more about. As it turns out my son and his best friend decided that they would secretly admit to each other their “deepest and darkest secret”, I suppose as a testing-bond of their friendship.
I would assume that for most, the very thought of our “deepest and darkest secret” being revealed and made public (whether that is something as innocent as a ‘sippy cup’ or more personal like a child still wetting the bed, or you-fill-in-the-blank) would be far worse than losing the item itself, and this is what cybercriminals are banking on. Be aware and beware of “mental malware”.
Ransoc is the latest in a long line of new(er) ransomware variations. Unlike most ransomware to-date, Ransoc does not look to encrypt files it locates on the system. This is a different behavior, as encrypting files has been the motivating drive behind ransomware, as users often times pay $300 or more to decrypt their files that the attacker holds ransom. Just remember how I started this article noting that recently the Hollywood Presbyterian Hospital forked over tens of thousands of dollars to receive their data. In contrast to that example, instead of encrypting your files, this Ransoc Trojan attempts to collect all your personal information stored on your system. In particular, Ransoc will retrieve your Skype, Facebook, LinkedIn and other social media profiles. It will also note your IP Address, your Geolocation, record your Webcam image capture. Finally, it will conduct a complete scan on a compromised system for Torrent files. Once collected, Ransoc will connect back to various remote locations and drop a highly customized ransom note on the system comprised of their social media details including their profile picture. The ransom note threatens the user with a fake legal proceeding and the threat of all collected data going public.
Fortunately (for most I pray!!), at the time of this writing, Ransoc will only display a ransom note and the threat of public humiliation if it finds evidence of child pornography or illegally downloaded Torrent media files. However, in my professional opinion, I sense that copycat variations will be created in much more regularity in 2017 that will attempt to embarrass and humiliate users with a far less benevolent intention. (I predict) that once the code and sequencing of this type of attack is introduced and thus understood by hackers, then the hacks will become more frequent and less-discerning. By which I mean it could be used as almost an emotional-blackmail over people, and because of my experience in this field, I sense that these initial Ransoc hits are the predecessors of a complete new-wave of ransomware. Time will tell, and we will stay-tuned to see what 2017 brings. The other interesting tidbit about Ransoc, is that it does not require Bitcoins as its means of ransom payment, instead it demands payment via a credit card (unheard of with ransomware!).
Thirtyseven4 Endpoint Security has been updated for this threat as Ransomware.TorLocker.PB5.
However, as a reminder, here are the preventive measures that Thirtyseven4 and US-CERT (United Stated Computer Emergency Readiness Team) recommends that users and administrators proactively take to protect their computer networks from ransomware infection:
1. Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
2. Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
3. Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
4. Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
5. Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
6. Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
7. Do not follow unsolicited Web links in emails.
If you are a follower of my column, these tips are redundant but important and effective (worth repeating!), and will strongly increase your odds of staying safe against the latest vulnerabilities. I am aware that there is a humility and freedom in sharing a secret, or a sin, and often our hardest times are used in our lives to challenge us and grow us, and also give us wisdom to encourage others in similar situations. But that being said, I think we can all agree that our business is OUR business, and having our personal information become blatantly public by a hacker is not a process that I would like to go through.
Third graders trading secrets is one thing, but your geolocation and webcam image are personal and to be shared only by your discretion. Keep your eyes open for the risks of Ransoc and follow our security guidelines to keep your personal information YOUR personal information.
Happy 2017, Everyone! Let’s make it a safe one!