Devious Ransomware Frees You if You Infect Two Other People

Ransomware—a particularly nasty malwarethat holds your data hostage until you pay up—just got more pernicious with a version that lets yousell out your friends instead of handing over your cash.

The diabolical software Popcorn Time, which is not at all affiliated with the Popcorn Time piracy app, shakes victims down like any other ransomware. If you can’t afford the one bitcoin payout or you’re feeling especiallyspiteful, you can sharea link to download Popcorn Time in an attempt to infect others. If two of your victims pay up, the attackers give you the key to decrypt your data. It’s a bit like the movie It Follows, but for malware instead of killing.

MalwareHunter, a hacker with the MalwareHunterTeam research group, recently discovered Popcorn Time.It resembles any other malware in terms of infecting a computer, encrypting its drive, and locking you out. The social aspect is what makes itnovel. It’s like sharing a referral code for cheap takeout or a free Uber ride. “The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” says Kevin Butler, a cybersecurity and malware propagation researcher at the University of Florida. “It could certainly make for some interesting discussions amongst ones group of friends if youre trying to figure out who infected you with this malware.”


Hackers regularly get creative with ransomware, offering things like support desks where victims can negotiate their ransom. Popcorn Time goes further by tapping into eat-or-be-eaten instincts. It’s fascinating in its psychological gamesmanship, and indicative of experimentationin an already disruptive field. “The bad guys are making a lot of money and theyre going to make a lot more money. A certain percentage of those funds are going to go into research and development for them to try new things,” saysJeremiah Grossman, chief of security strategy at cybersecurity defense firmSentinelOne. “The bad guys are innovating.”

There’s some good news, though. First, the Popcorn Time code doesn’t appear to be finished. “It is still not perfect, but it’s getting better,” MalwareHunter says. “Infect more to get free key is already unique thing. This system is something you not see every day.” MalwareHunterTeam

It also remains to be seen how wide Popcorn Time spreads. No one really knows if the mechanism is going to have any meaningful impact,” Grossman says. “You infect someone and you try to get them to infect other people. Thats a human-to-human process. Does it really scale versus all other ways, like mass-blast email? Does this process really work economically?”

Still, ransomware tends to cluster in families and strains that share similar attributes. Even if Popcorn Time isn’t a viral hit, hackerscould study its successes and failures to make their own variationsmore effective. Your best bet? Avoid getting hit in the first place. Regardless of whether Popcorn Time spreadslike a virus, there’s no reason to be patient zero.

Read more:

‘Accidental hero’ halts ransomware attack and warns: this is not over

Expert who stopped spread of attack by activating softwares kill switch says criminals will change the code and start again

The accidental hero who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Fridays attack wreaked havoc on organisations including FedEx and Telefnica, as well as the UKs National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a kill switch in the malicious software.

The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.

I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit, he told the Guardian. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain, he said. But the following hours were an emotional rollercoaster.

Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it, he said.

MalwareTech said he preferred to stay anonymous because it just doesnt make sense to give out my personal information, obviously were working against bad guys and theyre not going to be happy about this.

He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.

He warned people to patch their systems, adding: This is not over. The attackers will realise how we stopped it, theyll change the code and then theyll start again. Enable windows update, update and then reboot.

He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.

Its always been a hobby to me, Im self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. Ive been working there a year and two months now.

But the dark knight of the dark web still lives at home with his parents, which he joked was so stereotypical. His mum, he said, was aware of what had happened and was excited, but his dad hadnt been home yet. Im sure my mother will inform him, he said.

Its not going to be a lifestyle change, its just a five-minutes of fame sort of thing. It is quite crazy, Ive not been able to check into my Twitter feed all day because its just been going too fast to read. Every time I refresh it its another 99 notifications.

Proofpoints Ryan Kalember said the British researcher gets the accidental hero award of the day. They didnt realise how much it probably slowed down the spread of this ransomware.

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

Play Video

Theresa May: ‘This is not targeted at the NHS, its an international attack’ video

The kill switch wont help anyone whose computer is already infected with the ransomware, and its possible that there are other variants of the malware with different kill switches that will continue to spread.

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of cyber weapons from the National Security Agency (NSA).

Ransomware is a type of malware that encrypts a users data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called WanaCrypt0r 2.0 or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

MalwareTech (@MalwareTechBlog)

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

May 13, 2017

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the payment will be raised after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

This was eminently predictable in lots of ways, said Kalember. As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldnt be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefnica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.

Read more:

WannaCry ransomware has links to North Korea, cybersecurity experts say

Similarities spotted between details of last weeks massive cyber-attack and code used by a prolific cybergang with links to North Korean government

Two top security firms have found evidence linking the WannaCry ransomware to the prolific North Korean cybergang known as Lazarus Group.

Kaspersky and Symantec both said on Monday that technical details within an early version of the WannaCry code are similar to code used in a 2015 backdoor created by the government-linked North Korean hackers, who were implicated in the 2014 attack on Sony Pictures and an $81m heist on a Bangladeshi bank in 2016. Lazarus Group has also been known to use and target Bitcoin in its hacking operations. The similarities were first spotted by Google security researcher Neal Mehta and echoed by other researchers including Matthieu Suiche from UAE-based Comae Technologies.

Matthieu Suiche (@msuiche)

Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta – Is DPRK behind #WannaCry ?

May 15, 2017

Shared code doesnt always mean the same hacking group is responsible an entirely different group may have simply re-used Lazarus groups backdoor code from 2015 as a false flag to confuse anyone trying to identify the perpetrator. However the re-used code appears to have been removed from later versions of WannaCry, which according to Kaspersky gives less weight to the false flag theory.

We believe its important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry, said Kaspersky Lab in a blogpost, pointing out that in the early days of the Bangladesh bank attack, there were scant clues linking it to the Lazarus group. However, over time researchers found more clues to build the case against the North Korea-linked cybergang.

Kaspersky is among the research teams to have been studying Lazarus Group for years, and in April it published a detailed under the hood report exposing the groups modus operandi.

This level of sophistication is something that is not generally found in the cybercriminal world. Its something that requires strict organization and control at all stages of operation. Thats why we think that Lazarus is not just another advanced persistent threat actor, said Kaspersky, which also found attacks originating from IP addresses in North Korea.

The WannaCry ransomware attack has now now hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses.

The links to North Korea come at a time when security researchers and technology companies are criticizing the US government for stockpiling cyberweapons including the malicious software used in WannaCry.

The WannaCry exploits used in the attack were drawn from a cache of exploits stolen from the NSA by the Shadow Brokers in August 2016. The NSA and other government agencies around the world create and collect vulnerabilities in popular pieces of software (such as Windows) and cyberweapons to use for intelligence gathering and cyberwarfare.

Once these vulnerabilities were leaked by the Shadow Brokers, they became available for cybercriminals to adapt for financial gain by creating ransomware. This ransomware spread rapidly on Friday by exploiting a vulnerability contained in the NSA leak, targeting computers running Microsofts Windows operating system, taking over users files and demanding $300 to restore them.

Employees monitor possible ransomware cyber-attacks at the Korea Internet and Security Agency (Kisa) in Seoul, South Korea, on 15 May. Photograph: YONHAP/EPA

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem, said Brad Smith, president and chief legal officer of Microsoft, in a blogpost.

Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

The blogposts mentions that vulnerabilities stockpiled by the CIA also ended up in the public domain via Wikileaks.

This is an emerging pattern in 2017, Smith said, adding that the latest attack represents a completely unintended but disconcerting link between nation-state action (the NSA) and organized criminal action (the ransomware creator).

The governments of the world should treat this attack as a wake-up call, said Smith, urging nations to treat cyber weapons in the same way that physical weapons are treated.

We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Jeremy Wittkop, chief technology officer of security company Intelisecure, argues that if governments are to stockpile weapons they need to secure them better.

The government has a responsibility like with nuclear weapons to make sure they dont fall into the hands of the wrong people, he said. If you are going to create something that can cause this much damage you have to protect it.

Microsoft has called for a Digital Geneva Convention requiring governments to report vulnerabilities to the creators of the software instead of stockpiling, selling or exploiting them.

Read more:

A new ransomware attack called Bad Rabbit looks related to NotPetya

On Tuesday, reports surfaced that a new kind of malware was spreading around Europe. The apparent ransomware which researchers are calling Bad Rabbit bubbled up in Russia and Ukraine and appears to also be affecting Turkey and Germany, though spread isn’t fully known at this time.

Initial targets include Ukraine’s Ministry of Infrastructure and Kiev’s public transportation system. The Russian news service Interfax also issued an official update stating that it had been hacked and that it was working to restore its systems. Kaspersky reports that Russian news group was also affected and focuses on the trend of targeted media outlets in its initial analysis. So far, Kaspersky and ESET have both noticed ties to the malware known as NotPetya or ExPetr.

“Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”

Unlike other recent malware epidemics which spread through more passive means, Bad Rabbit requires a potential victim to download and execute a bogus Adobe Flash installer file, thereby infecting themselves. Security researchers have come up with an early “vaccine” against the malware, which should inoculate systems from becoming infected.

Whoever created Bad Rabbit appears to be a Game of Thrones fan, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm, a beloved character who is definitely not the skin disease known as greyscale.

Computers infected with the malware direct the user to a .onion Tor domain where they are asked to pay .05 Bitcoin or roughly $276 USD in exchange for their data. A countdown on the site shows the amount of time before the ransom price goes up. While this year has seen some instances of destructive malware disguised as ransomware, it’s not yet totally clear if Bad Rabbit actually collects a ransom and decrypts the goods in all cases, though one researcher had some luck in testing.

As always, anyone infected is discouraged from paying the ransom. For one, there’s no guarantee you’ll get the data back but importantly, refusing to pay the ransom discourages future ransomware attacks.

Bad Rabbit joins NotPetya and WannaCry, 2017’s two other major ransomware-style malware outbreaks.

Read more:

Bad Rabbit: Game of Thrones-referencing ransomware hits Europe

NotPetya-style malware infects Kievs metro system, Odessa airport and Russian media, demanding bitcoin for decryption key

A major ransomware attack is hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled Bad Rabbit malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (250) for the decryption key. The ransom demand is phrased similarly to that of Junes outbreak, and researchers at Russian security firm Kaspersky say that the malware uses methods similar to those used during the NotPetya attack.

Among the affected organisations are Kievs metro system, Russian media organisation Interfax and Odessa airport. Interfax was forced to publish to its Facebook page during the outage, since its servers were taken offline for a number of hours.

Unusually, the malwares code is peppered with pop culture references including the names of two dragons from Game of Thrones and the character Gray Worm used as names for scheduled tasks. A list of passwords that the malware tries while attempting to spread also includes love, sex, god and secret, which were dubbed the four most common passwords by the 1995 movie Hackers. In fact, the four most common passwords are 123456, 123456789, qwerty, and 12345678.

Unusually, the malwares code is peppered with pop culture references including the names of two dragons from Game of Thrones. Photograph: HBO/2017 Home Box Office, Inc. All

Our observations suggest that this been a targeted attack against corporate networks, Kasperskys researchers said, again suggesting a link between this outbreak and Junes. The NotPetya outbreak began through the release of a compromised version of a popular Ukrainian accounting program, spreading automatically throughout corporate networks.

The strongest link between the two attacks is based on the web servers which were used to distribute the initial software. Kaspersky researcher Costin Raiu told Forbes magazine that a network of hacked sites initially linked to NotPetya in July was now being used to host secondary distribution channels for Bad Rabbit.

But the two attacks contain a number of notable differences, as well. Where NotPetya was targeted at Ukraine, Bad Rabbit appears to have primarily hit Russian businesses. It was initially seeded through a fake Adobe Flash update placed on at least three hacked Russian media outlets, and from that initial foothold has spread through Russia and Ukraine, as well as other eastern European countries including Poland and Bulgaria.

The attack is also different from NotPetya in its mode of distribution. The fake Adobe Flash update which initially installs it doesnt use any software exploits to run, instead relying on old-fashioned trickery to convince a user to open it themselves. Also, once installed, the software doesnt use the famous EternalBlue exploit, believed to have been developed by the NSA before being stolen by a hacking group known as The Shadow Brokers, to spread within corporate networks. That decision may have limited the dispersal of the outbreak.

Perhaps the biggest difference between the two is that Bad Rabbit does not appear to be a wiper, as was suspected of NotPetya. That malware was basically impossible to remove, even for users who attempted to actually pay the ransom, leading to suspicions it had been created more to cause damage and destruction than raise revenue for its developers. Bad Rabbit, by contrast, reportedly does decrypt the hard drive upon entry of the correct password.

The UKs National Cyber Security Centre said in a statement, We are aware of a cyber incident affecting a number of countries around the world. The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.

Carl Leonard, a principal analyst at Forcepoint, said: We will continue to see massive attacks with economic, employee and public safety ramifications. And the methods will continue to evolve, including the evasive methods to hide their activity as well as their true intent.

The trick will be to better understand the human points in these attacks. The intent or motivations of the attackers can range broadly including financial gain, revenge, political or hacktivism. Understanding these intentions can help shape our security strategies.

Anton Ivanov (@antonivanovm)

Unlike #ExPetr, #BadRabbit is not a wiper.

October 24, 2017

Initially, few security products were capable of stopping the outbreak: a sample of the malware uploaded to analysis service VirusTotal showed just four products correctly flagging it as malicious as of 4:30pm on Tuesday, including ones made by Kaspersky and Symantec. By then, the outbreak was well and truly underway. As of Wednesday morning, almost two thirds of updated security products correctly identify the malware.

Users without working antivirus protection can also reportedly protect themselves with a vaccine by creating a file on their computer before the malware does.

Amit Serper (@0xAmit)

Vaccination for the Ukraine round 2? Wanna stop #badrabbit?
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now…

October 24, 2017

Read more: