Ransomware—a particularly nasty malwarethat holds your data hostage until you pay up—just got more pernicious with a version that lets yousell out your friends instead of handing over your cash.
The diabolical software Popcorn Time, which is not at all affiliated with the Popcorn Time piracy app, shakes victims down like any other ransomware. If you can’t afford the one bitcoin payout or you’re feeling especiallyspiteful, you can sharea link to download Popcorn Time in an attempt to infect others. If two of your victims pay up, the attackers give you the key to decrypt your data. It’s a bit like the movie It Follows, but for malware instead of killing.
MalwareHunter, a hacker with the MalwareHunterTeam research group, recently discovered Popcorn Time.It resembles any other malware in terms of infecting a computer, encrypting its drive, and locking you out. The social aspect is what makes itnovel. It’s like sharing a referral code for cheap takeout or a free Uber ride. “The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” says Kevin Butler, a cybersecurity and malware propagation researcher at the University of Florida. “It could certainly make for some interesting discussions amongst ones group of friends if youre trying to figure out who infected you with this malware.”
Hackers regularly get creative with ransomware, offering things like support desks where victims can negotiate their ransom. Popcorn Time goes further by tapping into eat-or-be-eaten instincts. It’s fascinating in its psychological gamesmanship, and indicative of experimentationin an already disruptive field. “The bad guys are making a lot of money and theyre going to make a lot more money. A certain percentage of those funds are going to go into research and development for them to try new things,” saysJeremiah Grossman, chief of security strategy at cybersecurity defense firmSentinelOne. “The bad guys are innovating.”
There’s some good news, though. First, the Popcorn Time code doesn’t appear to be finished. “It is still not perfect, but it’s getting better,” MalwareHunter says. “Infect more to get free key is already unique thing. This system is something you not see every day.” MalwareHunterTeam
It also remains to be seen how wide Popcorn Time spreads. No one really knows if the mechanism is going to have any meaningful impact,” Grossman says. “You infect someone and you try to get them to infect other people. Thats a human-to-human process. Does it really scale versus all other ways, like mass-blast email? Does this process really work economically?”
Still, ransomware tends to cluster in families and strains that share similar attributes. Even if Popcorn Time isn’t a viral hit, hackerscould study its successes and failures to make their own variationsmore effective. Your best bet? Avoid getting hit in the first place. Regardless of whether Popcorn Time spreadslike a virus, there’s no reason to be patient zero.
Expert who stopped spread of attack by activating softwares kill switch says criminals will change the code and start again
The accidental hero who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.
The ransomware used in Fridays attack wreaked havoc on organisations including FedEx and Telefnica, as well as the UKs National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a kill switch in the malicious software.
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.
I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit, he told the Guardian. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.
MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain, he said. But the following hours were an emotional rollercoaster.
Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it, he said.
MalwareTech said he preferred to stay anonymous because it just doesnt make sense to give out my personal information, obviously were working against bad guys and theyre not going to be happy about this.
He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.
He warned people to patch their systems, adding: This is not over. The attackers will realise how we stopped it, theyll change the code and then theyll start again. Enable windows update, update and then reboot.
He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.
Its always been a hobby to me, Im self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. Ive been working there a year and two months now.
But the dark knight of the dark web still lives at home with his parents, which he joked was so stereotypical. His mum, he said, was aware of what had happened and was excited, but his dad hadnt been home yet. Im sure my mother will inform him, he said.
Its not going to be a lifestyle change, its just a five-minutes of fame sort of thing. It is quite crazy, Ive not been able to check into my Twitter feed all day because its just been going too fast to read. Every time I refresh it its another 99 notifications.
Proofpoints Ryan Kalember said the British researcher gets the accidental hero award of the day. They didnt realise how much it probably slowed down the spread of this ransomware.
The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.
The kill switch wont help anyone whose computer is already infected with the ransomware, and its possible that there are other variants of the malware with different kill switches that will continue to spread.
The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of cyber weapons from the National Security Agency (NSA).
Ransomware is a type of malware that encrypts a users data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called WanaCrypt0r 2.0 or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the payment will be raised after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.
This was eminently predictable in lots of ways, said Kalember. As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldnt be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.
Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefnica were infected.
By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.
Similarities spotted between details of last weeks massive cyber-attack and code used by a prolific cybergang with links to North Korean government
Two top security firms have found evidence linking the WannaCry ransomware to the prolific North Korean cybergang known as Lazarus Group.
Kaspersky and Symantec both said on Monday that technical details within an early version of the WannaCry code are similar to code used in a 2015 backdoor created by the government-linked North Korean hackers, who were implicated in the 2014 attack on Sony Pictures and an $81m heist on a Bangladeshi bank in 2016. Lazarus Group has also been known to use and target Bitcoin in its hacking operations. The similarities were first spotted by Google security researcher Neal Mehta and echoed by other researchers including Matthieu Suiche from UAE-based Comae Technologies.
Shared code doesnt always mean the same hacking group is responsible an entirely different group may have simply re-used Lazarus groups backdoor code from 2015 as a false flag to confuse anyone trying to identify the perpetrator. However the re-used code appears to have been removed from later versions of WannaCry, which according to Kaspersky gives less weight to the false flag theory.
We believe its important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry, said Kaspersky Lab in a blogpost, pointing out that in the early days of the Bangladesh bank attack, there were scant clues linking it to the Lazarus group. However, over time researchers found more clues to build the case against the North Korea-linked cybergang.
Kaspersky is among the research teams to have been studying Lazarus Group for years, and in April it published a detailed under the hood report exposing the groups modus operandi.
This level of sophistication is something that is not generally found in the cybercriminal world. Its something that requires strict organization and control at all stages of operation. Thats why we think that Lazarus is not just another advanced persistent threat actor, said Kaspersky, which also found attacks originating from IP addresses in North Korea.
The WannaCry ransomware attack has now now hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses.
The links to North Korea come at a time when security researchers and technology companies are criticizing the US government for stockpiling cyberweapons including the malicious software used in WannaCry.
The WannaCry exploits used in the attack were drawn from a cache of exploits stolen from the NSA by the Shadow Brokers in August 2016. The NSA and other government agencies around the world create and collect vulnerabilities in popular pieces of software (such as Windows) and cyberweapons to use for intelligence gathering and cyberwarfare.
Once these vulnerabilities were leaked by the Shadow Brokers, they became available for cybercriminals to adapt for financial gain by creating ransomware. This ransomware spread rapidly on Friday by exploiting a vulnerability contained in the NSA leak, targeting computers running Microsofts Windows operating system, taking over users files and demanding $300 to restore them.
On Tuesday, reports surfaced that a new kind of malware was spreading around Europe. The apparent ransomware which researchers are calling Bad Rabbit bubbled up in Russia and Ukraine and appears to also be affecting Turkey and Germany, though spread isn’t fully known at this time.
Initial targets include Ukraine’s Ministry of Infrastructure and Kiev’s public transportation system. The Russian news service Interfax also issued an official update stating that it had been hacked and that it was working to restore its systems. Kaspersky reports that Russian news group Fontanka.ru was also affected and focuses on the trend of targeted media outlets in its initial analysis. So far, Kaspersky and ESET have both noticed ties to the malware known as NotPetya or ExPetr.
“Our researchers have detected a number of compromised websites, all news or media sites,” the Russian security company, now embroiled in controversy, writes on its blog. “Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack. However, we cannot confirm it is related to ExPetr.”
Unlike other recent malware epidemics which spread through more passive means, Bad Rabbit requires a potential victim to download and execute a bogus Adobe Flash installer file, thereby infecting themselves. Security researchers have come up with an early “vaccine” against the malware, which should inoculate systems from becoming infected.
Vaccination for the Ukraine round 2? Wanna stop #badrabbit? Create a file called c:windowsinfpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now… pic.twitter.com/3MSSH8WKPb
Whoever created Bad Rabbit appears to be a Game of Thrones fan, as the malware makes reference to Daenerys Targaryen’s dragons and Grey Worm, a beloved character who is definitely not the skin disease known as greyscale.
BadRabbit creates two scheduled tasks, named after the dragons from Game of Thrones. Also a reference to GrayWorm, the skin disease in GoT. pic.twitter.com/BfQxGrMwC0
Computers infected with the malware direct the user to a .onion Tor domain where they are asked to pay .05 Bitcoin or roughly $276 USD in exchange for their data. A countdown on the site shows the amount of time before the ransom price goes up. While this year has seen some instances of destructive malware disguised as ransomware, it’s not yet totally clear if Bad Rabbit actually collects a ransom and decrypts the goods in all cases, though one researcher had some luck in testing.
As always, anyone infected is discouraged from paying the ransom. For one, there’s no guarantee you’ll get the data back but importantly, refusing to pay the ransom discourages future ransomware attacks.
Bad Rabbit joins NotPetya and WannaCry, 2017’s two other major ransomware-style malware outbreaks.
NotPetya-style malware infects Kievs metro system, Odessa airport and Russian media, demanding bitcoin for decryption key
A major ransomware attack is hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.
The self-titled Bad Rabbit malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (250) for the decryption key. The ransom demand is phrased similarly to that of Junes outbreak, and researchers at Russian security firm Kaspersky say that the malware uses methods similar to those used during the NotPetya attack.
Among the affected organisations are Kievs metro system, Russian media organisation Interfax and Odessa airport. Interfax was forced to publish to its Facebook page during the outage, since its servers were taken offline for a number of hours.
Unusually, the malwares code is peppered with pop culture references including the names of two dragons from Game of Thrones and the character Gray Worm used as names for scheduled tasks. A list of passwords that the malware tries while attempting to spread also includes love, sex, god and secret, which were dubbed the four most common passwords by the 1995 movie Hackers. In fact, the four most common passwords are 123456, 123456789, qwerty, and 12345678.