Skip to content

Ransomware

WannaCry‬pt ransomware note likely written by Google Translate-using Chinese speakers

Quote

The ‪WannaCry‬pt extortion notes were most likely written by Chinese-speaking authors, according to linguistic analysis.

WannaCry samples analysed by security outfit Flashpoint contained language configuration files with translated ransom messages for 28 languages. All but three of these messages were put together using Google Translate, according to Flashpoint.

Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated. Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.

Flashpoint found that the English note was used as the source text for machine translation into the other languages.

The two Chinese ransom notes differ substantially from other notes in both content, format, and tone. This means they were likely that the Chinese text was put together separately from the English text and by someone who is at least fluent in Chinese if not a native speaker. The Chinese note is longer than the English note, containing content absent from other versions of the shake-down message.

The most plausible scenario is that the Chinese was the original source of the English version, say analysts. Flashpoint concludes that the unidentified perps – without speculating on their nationality – are likely to be Chinese speakers.

Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s).

Ransomware scum build weapon from JavaScript

Quote

Demands $250, steals passwords for good measure

 

New ransomware written entirely in JavaScript has appeared encrypting users files for a US$250 (£172, A$336) ransom and installing a password-stealing application.

Researchers @jameswt_mht and @benkow_ found the ransomware they dubbed RAA.

Bleeping Computer malware man Lawrence Abrams described the ransomware noting it is shipped as a JS file and uses the CryptoJS library for AES encryption.

“RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js,” Abrams says.

“When the JS file is opened it will encrypt the computer and then demand a ransom of about US$250 USD to get the files back.

“To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim’s computer.”

The ransomware launches a word document that appears to be corrupted, and serves to distract users while the malware encrypts files.

Microsoft in April warned of a spike in malicious JavaScript email attachments shortly before virus writers behind Locky sent their ransomware in that format.

Trend Micro researchers say Locky and RAA use JavaScript files also as malware downloaders which obtain and install a malware.

“The RAA ransomware is considered unique because it’s rare to see client-side malware written in web-based languages like JavaScript, which are primarily designed to be interpreted by browsers,” they say . “… users are advised to avoid opening attachments with the filenames mentioned above, even if they’re enclosed in a .zip archive.”

No means yet exist for free decryption.

Rule of thumb, do not open attachments unless you are absolutely sure the sender is valid and actually sending you something for which you asked.

We receive many emails with malware attachments from ***known*** users because they are irresponsible and do not secure their passwords or systems with strong passwords and anti-malware software. So even if you recognize the sender, do not assume it is safe.

Cisco security disable big distributor of “ransomware”

Quote

Cisco Systems Inc (CSCO.O) said it had managed to disrupt the spread of one of the most pernicious systems for infecting Internet users with malicious software such as so-called ransomware, which demands payment for decrypting users’ data.

The investigators from Cisco’s Talos security unit were looking at the Angler Exploit Kit, which analysts at several companies say has been the most effective of several kits at capturing control of personal computers in the past year, infecting up to 40 percent of those it targeted.

They found that about half of computers infected with Angler were connecting to servers at a hosting provider in Dallas, which had been hired by criminals with stolen credit cards. The provider, Limestone Networks, pulled the plug on the servers and turned over data that helped show how Angler worked.

The research effort, aided by carrier Level 3 Communications (LVLT.N), allowed Cisco to copy the authentication protocols the Angler criminals use to interact with their prey. Knowing these protocols will allow security companies to cut off infected computers.

“It’s going to be really damaging to the attacker’s network,” Talos manager Craig Williams told Reuters ahead of the release of the report.

Cisco said that since Limestone pulled the plug on the servers, new Angler infections had fallen off dramatically.

Limestone’s client relations manager told Reuters his company had unwittingly helped the spread of Angler before the Cisco investigation.

Often sold in clandestine Internet forums or in one-to-one deals, exploit kits combine many small programs that take advantage of flaws in Web browsers and other common pieces of software. Buyers of those kits must also arrange a way to reach their targets, typically by sending spoof emails, hacking into websites or distributing malicious advertisements.

Once they win control of a target’s computer, exploit kit buyers can install whatever they want, including so-called ransomware. This includes a number of branded programs, also sold online, that encrypt users’ computer files and demand payment to release them.

Talos estimated that if three percent of infected users paid the ransom averaging $300, the criminals that had used the Limestone servers to spread Angler could have made about $30 million a year.

Good job Cisco!