BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

Technical indicators suggest a cyber-attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analysed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbitvirus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber-security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber-attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the US National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favour of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

[“Source-gadgets.ndtv”]

LeakerLocker Android Ransomware Threatens to Leak Your Personal Information to Your Contacts

LeakerLocker Android Ransomware Threatens to Leak Your Personal Information to Your Contacts

It seems as though Google’s Android platform is facing its worst time yet as far as malware infestations go. After two malware-related reports in the past week – CopyCat and SpyDealer – there are now reports of another malware, called LeakerLocker, that has the potential to send your personal pictures, messages and browser history to your friends. What’s more, this malware is also reportedly a ransomware that does not encrypt files.

Popular security technology company, McAfee has discovered that the LeakerLocker ransomware can be accidentally downloaded from the Google Play. As of now, It has noted two apps in particular, Wallpapers Blur HD and Booster & Cleaner Pro, that seem to carry the malware. Notably, the ransomware steals the information, creates an unauthorised backup, but does not encrypt them. Instead, it demands “a modest ransom,” failing which the attacker would leak the victim’s private data to their contacts.

McAfee has reported the ransomware to Google. One of the apps, Wallpapers Blur HD, has been downloaded between 5,000 and 10,000 times, and one user has pointed out that the wallpaper app strangely requests permissions such as calls, reading and sending SMS, access to contacts, among other things. The second malicious app, Booster & Cleaner Pro is an easier target as this is the sort of app that requires access to almost everything in your phone to function properly, which users may unwittingly give permission to.

LeakerLocker is the third in a series of malware-related reports this past week. On Monday, it was reported that an Android malware, named SpyDealer, had the ability to steal a user’s personal data from over 40 popular apps that include Facebook, WhatsApp, Skype, Telegram and more. This comes following another report last week of a CopyCat malware that had reportedly affected over 14 million Android devices last year. These cases have started to paint a pretty gloomy picture about the safety of Android OS, but at least we know that Google is taking some active anti-malware measures to help out its users.

For Android users who feel recent malware-related reports are getting too much for Google’s own good, there may a bit of relief in knowing that the tech giant has been reported to be working on an Android ‘panic button’ that would help users exit a potentially malicious app and back to the home screen. There’s no word on when Google will release this feature, but when last reported, it was being tested on Android 7.1 Nougat. It may not be much, but at least we know Google is taking some active measures to fight off compromised apps.

[“source-gadgets.ndtv”]

New Ransomware Uses Image Files on Facebook, LinkedIn to Hijack Your Computer: Report

New Ransomware Uses Image Files on Facebook, LinkedIn to Hijack Your Computer: Report

New Ransomware Uses Image Files on Facebook, LinkedIn to Hijack Your Computer: Report
HIGHLIGHTS
New ImageGate malware utilise Facebook, LinkedIn images
It works same as Locky ransomware
Researchers recommend users not to open unusual extensions on a system
A newly discovered ransomware can target a computer through malware laced images on Facebook and LinkedIn. Researchers claim to have identified a new attack vector, which they call ImageGate, which embeds malware in image and graphic files. Additionally, the researchers discovered that the attacker’s method of executing the malicious code within images was through social media apps such as Facebook and LinkedIn.

“The attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file,” explained Roman Ziakin and Dikla Barda, Check Point Research team.

The team also suggests that the new malware works same as the Locky virus, a file-encrypting ransomware, works which made headlines few months back. The Locky ransomware once downloaded on the system can automatically encrypt all the files on the device when users try to open it. Users then gain access to their files only when the ransom is paid.
Check Point recommends some steps to stay protected from malwares like ImageGate and Locky. “If you have clicked on an image and your browser starts downloading a file, do not open it,” noted the team.
According to researchers, the attackers are targeting social media sites because they are ‘white listed’ on browsers and can easily be used on attack users. It adds that attackers are “continually searching for new techniques to use social media as hosts for their malicious activities.”

The researchers also recommend users not to open any image file with unusual extension such as SVG, JS, or HTA which may be infected with malware. Check Point claims that it updated Facebook and LinkedIn of the attack vector in September.

Tags: Ransomware, Desktop, Computers, Locky, ImageGate

[“Source-Gadgets”]

Ransomware Threat on Rise Globally: Symantec

Ransomware Threat on Rise Globally: Symantec

The average ransom demanded by hackers jumped to $679 (roughly Rs. 45,600) – up from $294 – at the end of 2015, global cyber-security leader Symantec said on Thursday.

With 31 percent of global infections, the US continues to be the most affected country by ransomware and India, with 3 percent infections, ranks ninth in the top 10 list between January 2015 and April 2016, the report noted.

Realising the potential for higher profits, cybercriminals are increasingly targeting the business space and employees in organisations made up 43 percent of ransomware victims.

Given the popularity of smartphones, a number of Android threats have emerged in recent years, the majority of which are locker-type threats. As yet, there have been no documented cases of iOS ransomware.

Further, the growth of the Internet of Things (IoT) also has multiplied the range of devices that could potentially be infected with ransomware.

With a growing awareness of ransomware affecting traditional computers, attackers may turn to IoT to find new, softer targets, the report added.

According to Symantec, 2015 was a record year with 100 new ransomware families discovered.

All but one of the new variants discovered so far in 2016 are crypto-ransomware, which uses unbreakable encryption on the user’s files.

If the victim has no back-ups, paying ransom is the only alternative.

Tags: Android, Crypto Ransomware, Cybercriminals, India, Internet, Ransomware, Symantec

 

[“Source-Gadgets”]