New Ransomware Campaign Has 0% Detection
There is a new spam campaign targeting Scandinavians and it’s spreading as you’re reading this.
This is the fourth major ransomware campaign we’ve reported since the beginning of September, and what is worrisome is the fact that detection rates have remained very, very low.
Security Alert: Over 142 Million Legitimate Websites Could Deliver Ransomware Because of Script Injection Compromise Issued on: September 4 2015 Detection rate at the time of the report: 4/63 on VirusTotal Current detection rate: 5/65 on VirusTotal
Security Alert: Antivirus Detection Low on New Spam Campaign that Infects PC with CryptoWall 3.0 Issued on: September 11 2015 Detection rate at the time of the report: 6/65 on VirusTotal Current detection rate: 40/57 on VirusTotal (this is the spam campaign that progressed the most in terms of antivirus detection)
Security Alert: The Global “Get Your Cryptolocker as a Package” Campaign Continues [Updated] Issued on: September 21 2015 Detection rate at the time of the report: 2/56 on VirusTotal Current detection rate: 2/56 on VirusTotal (no progress)
Detection rates for the second part of the same campaign, which sought to target Scandinavian residents: Detection rate at the time of the report: 1/56 on VirusTotal Current detection rate: 1/56 on VirusTotal (no progress)
Following the crippling effects of this last campaign, another spam run delivering ransomware has emerged. Heimdal Security has collected and analyzed the information pertaining to this new attack, which is less sophisticated, but no less dangerous than the previous.
How the current ransomware campaign works
The current spam campaign is spreading ransomware by sending a spam email to arbitrary recipients with an attached Word document. That document contains macros, which, when activated, will download and run the malicious ransomware.
The unwanted e-mail arrives with the following contents:
From: [spoofed / fake return address]
Subject Line: 3850581942
Attached: Scet_9462201788.docx
If the attached document is opened and macros activated, the payload will be copied to: [% All Users Profile%] \ Application Data \ Windows \ csrss.exe
To ensure that the code is activated after a reboot of the system, the infection creates a “run as” registry value:
HKCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ “Client Server Runtime Subsystem” = “C: \ Documents and Settings \ [% All Users%] \ Application Data \ Windows \ csrss.exe
In the next phase, the payload will communicate with the central C & C server and disclose where the machine is located, along with various information: http://2cc4 [.] ml / reg.php
The infection will then encrypt all the data files available on the local disk and those available in the network drive, by adding this extension to each of them: “.breaking_bad”
In order to decrypt the files and regain access to the data, the victim must first communicate with two different Gmail accounts and pay the ransom.
Currently, the spam campaign managed to completely avoid detection by all of the 57 anti-malware tools listed in VirusTotal:
Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.
Are you vulnerable to ransomware attacks?
Do you have the latest Windows updates installed? Is every single software app you use up to date? Are you able to detect dangerous web destinations when you go online? Do you have a multi-layered security system in place to protect your data?
If the answer to at least one of these questions is “no”, then you are exposed to becoming a Cryptoware attack victim. And these are just the basic security measures you should follow every single day.
But very few people do, unfortunately. For example, let’s look at some key figures.
Outdated browsers are some of the most used attack angles that cyber criminals employ in their campaigns. So things become quite risky when millions of users choose or are forced by their employers to use versions of IE, Firefox or Chrome which are not up to date.
Internet Explorer 7, 8, 9 and 10 users account for 2,7% of the entire IE usage across the world. That would mean approximately 8,6 million users (a figured estimated based on the current number of Internet users in the world — 3,2 billion).
Firefox users aren’t doing a better job at staying up to date either, with 20,5% still using Firefox versions 33 through 40 (the latest version being 42) or older.
Even Chrome users are exposed, although Google introduced the auto update feature more than a while ago. More than half (63,4%) of the most popular browser’s users are still running older versions, from Chrome 39 to Chrome 45 or older. Only 0,6% of them actually use Chrome 46, the latest and most secure iteration of Google’s browser.
Out-of-date operating systems also pose a huge threat, especially when 3,6% of Internet users worldwide still have Windows XP installed, which Microsoft cut off support for months ago. That means over 11,5 million users who are sitting ducks for any cyber criminal attempt to take advantage of them.
Social engineering or manipulating the targeted victims into opening malicious emails containing infected attachments is also a big issue, and cyber criminals are very capable of tapping into this human vulnerability.
This data, coupled with other vulnerable applications and the lack of cyber security education is what makes ransomware attacks so successful in attaining their malicious goals, irreversibly damaging the victim’s data.
Conclusion
We recommend you exercise extreme caution when it comes to opening emails from unknown senders. It’s advised never to open an email from an unknown source, but, if your job entails that type of interaction, then do get additional protection and do not open attachments if they look suspicious.
Also, if you are unsure of how ransomware can affect you, your loved ones or your business, please read the following guide: What is Ransomware and 9 Easy Steps to Keep Your System Protected.
Originally published at heimdalsecurity.com on September 30, 2015.
