November has quickly become one of the biggest months for crypto-ransomware all year. Multiple new crypto-ransomware variants have been introduced, as cyber criminals prepare to prey on vulnerable users heading online for their holiday shopping.
The first variant, Chimera, has been encrypting both files and networks drives, as well as threatening to publish personal data and pictures online if the ransom is not paid. Chimera has been in circulation since September, using business-focused emails as its primary avenue of compromise.
According to the Anti-Botnet Advisory Centre:
“Several variants…try to target specific employees within a company and they have one thing in common: within the email, a link points to a source at Dropbox, claiming that additional information has been stored there.”
Users naïve enough to click on the link are infected with Chimera, which encrypts all locally stored data and demands a nearly $700 ransom.
Currently, there is no evidence that Chimera is following through on its threat to publish the compromised data, but the threat alone is a new modus operandi for crypto-ransomware.
Next up, Cryptowall has been updated to Cryptowall 4.0. Previously, Bromium has chronicled the history of Cryptowall and crypto-ransomware, in its report, “Understanding Crypto-Ransomware.” Cryptowall is one of the original crypto-ransomware variants, first appearing around November 2013. In addition to encrypting user files, Cryptowall 4.0 also encrypts file names, making it even more unlikely for file recovery.
Third, CryptoLocker Service is also an update to one of the original crypto-ransomware variants, CryptoLocker. CryptoLocker Service emerged from the Darknet this week, being run by an individual known as Fakben (known for his participation in stolen credit card forums). Fakben is making CryptoLocker available as a service for $50, plus ten percent.
Fakben notes that this ransomware shares only a name with CryptoLocker, making It clear the new code is different than the original.
Regardless of the variant, crypto-ransomware targets exploits and vulnerabilities in products such as Flash and Java. A recent Bromium survey determined that 90 percent of security professionals believe their organization would be more secure if it disabled Flash.
Finally, Linux servers have been hit by a ransomware attack that gains administrative access and encrypts key files. These attacks should be of little concern to end users since the attacks were against admin servers.
Organizations should be concerned with crypto-ransomware because once an attack succeeds, recovery options are limited to installing from back-ups. Detection and reaction are destined to fail against crypto-ransomware. The only hope for preventing crypto-ransomware attacks is proactive protection, such as the threat isolation provided by Bromium vSentry.