Blackmailers: a threat to the past or the future?

    If we look at attack vectors, the number of new unique virus families, and the evolution of malware, we will notice that this becomes the most serious and widespread security threat. Under the cut, I’ll talk about the analysis of blackmailers and protection against them.



    An analysis of blackmail programs for 2016 showed the following:

    • Each quarter of the year, more than 500 million spam emails are sent containing spam and blackmail program downloaders that try to automatically install on users' computers.
    • Blackmail downloaders hit over 13.4 million computers.
    • On the other hand, 4.5 million computers were infected with Meadgive and Neutrino malware , the main attacking code of which is blackmail programs.
    • In 2016, blackmail programs were detected on 3.9 million PCs.

    The impact of blackmail programs affected not only private users; business companies and the public sector were also their victims. After the main media reported these attacks, including the fact that a hospital in California paid attackers to recover important medical files, as well as a malfunction in the San Francisco transport system , the idea of ​​blackmail programs went deeper into the public mind. In September, a Europol report called blackmail programs the largest digital threat, leaving behind malware to steal data and online banking trojans.

    It is noteworthy that, according to the Windows Defender antivirus data, an interesting trend is observed: reaching a peak in August 2016 - 385 thousand registered cases of blackmailing programs - in September their number was almost halved and continues to fall.



    Fig. 1. The monthly frequency of detection of payload files by blackmailers, with the exception of downloaders and other components. Some industry data combine these two indicators.

    Does this trend mean that the end of blackmailers is foreseen? If you look at other areas of the spread of blackmail programs, it turns out that this is not so.

    Blocking blackmail programs at the point of entry


    To understand whether the prevalence of blackmail programs is really declining, it is necessary to study other areas of the infection chain, starting with attack vectors. Windows Defender Antivirus data suggests otherwise.

    Downloader Trojans distributed via email newsletters


    Downloader Trojans, such as Nemucod and Donoff , install blackmail programs on a PC. These downloaders often take the form of document files or shortcuts and are distributed via email.

    The number of e-mail messages containing blackmail bootloaders has not decreased. In the last quarter of 2016, 500 million such messages were recorded. Over the same period, downloader Trojans infected at least 1 million PCs per month. It is obvious that cybercriminals did not stop using blackmail programs to attack users' computers. In fact, until the end of 2016, we witnessed Nemucod’s email exploration campaigns that spread the Locky virus , andDonoff virus campaigns through which the Cerber virus spread .



    Fig. 2. Although the number of cases of blackmailing programs was significantly reduced by the end of 2016, in the second half of the year the infection rate of blackmailing program loaders was higher on average than in the first half of the year.

    Obviously, the decrease in the incidence of blackmail programs is not due to the fact that cybercriminals have become less zealous. There is still a massive amount of emails containing Trojan downloaders for blackmail programs. However, infection by blackmail programs is blocked at the point of entry. This is an interesting move, since in 2016 blackmail distributors switched from using exploits to e-mail as a more effective vector of infection.

    Exploits


    The Neutrino exploit was used to install Locky the blackmailer on a PC . In mid-2016, the incidence of Neutrino infection increased, filling the niche of the Axpergle virus (also known as Angler) after its disappearance in June. Obviously, the prevalence of Neutrino began to decline in September, after its operators handed over the reins to cybercriminal groups.

    Another popular exploit, Meadgive(also known as RIG), initially distributed the Cerber blackmailer. In 2016, Meadgive continued to grow steadily, becoming the most frequent exploit for malware distribution. In December 2016, the Meadgive mailing campaign began with the latest version of the Cerber virus, which was carried out mainly in Asia and Europe.

    Although exploits are being used less and less , blackmail programs continue to exploit exploits to infect computers. This is because exploits allow blackmail programs to increase permissions and run potentially dangerous programs with fewer restrictions.

    Hackers are looking for new ways


    The blackmail programs have not yet set in motion, and another evidence of this is the numerous malware innovations recorded in 2016.

    Cybercriminals are constantly updating their toolkit. For example, at the end of 2016, significant updates to the latest version of Cerber were recorded .

    These malicious code enhancements are gradually being introduced in attacks such as blackmail programs as a service in which cybercriminals can get the latest versions of blackmail programs on illegal forums. This provides cybercriminals with the necessary resources and motivation to organize attacks.

    The following are some of the improvements in blackmailers that we witnessed in 2016.

    Attacks on servers


    The discovery of the Samas blackmailer in early 2016 made these programs a major threat to commercial companies. Faced with blackmail programs targeting servers, IT administrators were forced to not only take care of end-user protection, but also strengthen server security.

    Samas distribution campaigns exploited server vulnerabilities . They searched for vulnerable networks using pen test and used various components to encrypt files on servers.

    Features of Worm Viruses


    Zcryptor tended to spread, which means that some blackmail programs could move from one endpoint to another without resorting to spam campaigns. The worm virus detects network and logical drives and removable media that it can use to spread. At the very beginning of 2017, the Spora virus was detected , showing a similar behavior.

    Alternative payment and communication methods


    Typically, blackmailers demanded payment through Bitcoin on illegal Tor websites. In response to the decrease in payments from victims, cybercriminals began to look for new payment methods.

    The Dereilock blackmail program , for example, forced its victims to contact the cybercriminals via Skype, and Telecrypt offered to use the Telegram Messenger messaging service to communicate with the cybercriminals.

    Spora took the path of “shareware” services - a couple of files of the victim could be decrypted for free, and for a small amount a number of files could be decrypted.

    New methods of blackmail


    In 2016, most blackmail programs began using a countdown timer. This causes the victim to immediately pay a ransom, under pain of irretrievable loss of access to files.

    When the Cerber blackmail program came out in March, it made a splash: in addition to the usual ransom message in the form of a text and HTML document, VBScript converted the text into an audio message with a ransom request. Therefore, Cerber was called the "talking blackmailer."

    Another CornCrypt blackmail program offered to decrypt files for free, provided that the victim infects two other users. Attackers counted on the snowball effect: the more victims, the greater the likelihood that one of them will pay.

    New families of blackmailers - ranking leaders


    The threat from the blackmail programs most likely will not wane, as evidenced by the emergence of new families of blackmail programs. Of the more than 200 active families detected, approximately half were first recorded in 2016.

    Most new families of blackmailers use encryption. This type of blackmail program replaced the older versions with a screen lock, which simply blocked the screen and did not use file encryption.

    In 2016, many families of blackmailers appeared using new methods and techniques. At the same time, 68% of cases of blackmailer detection in 2016 were attributed to five leaders.



    Fig. 3. Cerber and Locky, discovered in 2016, became leaders of the year among blackmail programs

    It is interesting to note that the two leading families of blackmail programs were discovered only in 2016.

    Cerber


    Cerber was discovered in March 2016 and was named for the file extension. From March to December she hit over 600 thousand PCs.

    Cerber’s illegal forums offer a “blackmail program as a service”, so attackers can send it out without writing malicious code. Its operation is largely determined by the configuration file. The latest version of Cerber can encrypt almost 500 file types. It is known that when searching for files for encryption, the program can select the highest priority folders. Cerber is distributed mainly through spam mail containing the Donoff bootloader that installs it.



    Fig. 4. The frequency of Cerber detection has fallen sharply since September, with the prevalence of Donoff, the Cerber bootloader, rising in December.

    Cerber virus infection is also known to be via Meadgive or the RIG exploit. Meadgive was the lead exploit in late 2016.

    Locky


    In 2016, Locky became the second most common blackmail program, infecting over 500 thousand computers. It was discovered in February and was also named for the file extension. Since then, it has been using other extensions, including .zepto, .odin, .thor, .aeris, and .osiris.

    As with Cerber, spam operators subscribe to Locky as a "blackmailer as a service." It contains code for the encryption routine, and can also receive encryption keys and ransom messages from a remote server before encrypting files.

    Initially, Locky was distributed through the Neutrino exploit; later, spam emails with the Nemucod virus, which downloaded and launched Locky, were used.



    Fig. 5. The frequency of Nemucod detections in the second half of 2016 remained constant, despite the fact that the prevalence of Locky significantly decreased over this period.

    Blackmailers as a global threat


    In 2016, blackmailers turned into a real global threat and were discovered in more than 200 countries. In the United States alone, blackmail programs hit over 460 thousand PCs. Italy and Russia follow (252 thousand and 192 thousand cases of detection, respectively). In Korea, Spain, Germany, Australia, and France, more than 100,000 infections have been reported.



    Fig. 6. Infection with blackmailers has been registered in more than 200 countries.

    The largest number of cases of Cerber infection is registered in the USA: 27% of the total number of infections with this virus in the world. Another powerful blackmailer, Locky, was discovered in 2016. She became the second of the most common families of blackmail programs in the United States.

    In Italy and Russia, by contrast, older versions of blackmail programs are more common. In Italy, the highest number of cases of infection with the Critroni virus, which appeared in 2014, was noted. When the Critroni blackmail program first appeared, its ransom reports were compiled in English and Russian. Subsequent versions introduced other European languages, including Italian.

    The Troldesh virus, detected in 2015, became the leader in the number of infections in Russia. After encrypting the files, Troldesh displayed on the desktop a message in Russian and English, which contained instructions on how to contact the attackers, and payment instructions.



    Fig. 7. The countries with the highest prevalence of blackmail programs - the USA, Italy, Russia, Korea, Spain - are affected by different virus families, possibly due to the local nature of spam campaigns.

    Conclusion: the growing threat requires new countermeasures


    Despite the decline in the general distribution of blackmail programs, attack vectors, the number of unique virus families and improvements in malicious code, we still don’t see the end of this multifactorial security threat.

    Microsoft has created and is constantly improving Windows 10 so that your security features are directly integrated into the operating system.

    Blackmail protection against infections


    Most infections by blackmailers begin with receiving emails containing downloader Trojans. This is the main vector used by cybercriminals to install blackmail programs. Service Advanced Threat Protection Office 365 has the capability of machine learning, which block dangerous emails containing programs-downloaders blackmailers.

    Some blackmail programs infiltrate computers through exploits. The Microsoft Edge browser will help protect your computer from blackmail programs by preventing exploits from launching and executing these viruses. Thanks to Microsoft SmartScreen, the Microsoft Edge browser blocks access to malicious websites that may contain exploits.

    Device Guard can block devices and provide protection at the kernel virtualization level, allowing the launch of only trusted applications and prohibiting the launch of blackmail programs and other dangerous software.

    Blackmail Detection


    The creators of the blackmail programs are perhaps one of the most productive attackers ever creating new virus families and updating existing ones. They are also very resourceful in choosing attack vectors to install blackmail programs on your computers.

    Windows 10 helps immediately detect an attack by a blackmailer at the first sign of its occurrence. Windows Defender Antivirus detects blackmail programs, as well as exploits and downloader Trojans that install them. Using cloud technology, this antivirus helps protect your computer from the latest threats.

    Windows Defender Antivirus is built into Windows 10 and when turned on, it protects your PC from threats in real time. Regularlyupdate Windows Defender Antivirus and other software for the most current protection of your PC.

    Responding to blackmail attacks


    Windows Defender Advanced Threat Protection (Windows Defender ATP) notifies security professionals of suspicious activity. These actions are common to some families of blackmail programs, such as Cerber , and may be specific to blackmail programs in the future.

    The evaluation version of Windows Defender ATP is free .

    Enhanced protection in Windows 10 Creators Update


    Among the existing security features, the most powerful will be Windows 10 Creators Update, which includes Windows Defender Antivirus and integration with Office 365 to create multi-level protection that reduces the vulnerability of e-mail attacks.

    Windows Defender Antivirus will enhance contextual recognition and machine learning capabilities that detect behavioral abnormalities and help detect viruses at different points in the infection chain. Improved threat analytics integration provides faster spam blocking.

    Windows Defender ATP allows security professionals to isolate compromised PCs from the corporate network , stopping the spread of the virus on the network.

    This update also allows you to specify the types of quarantined files and prohibit their subsequent execution.

    The threat of blackmailers may not disappear soon, but Windows 10 will continue to improve protection against this malware.



    Tomorrow, September 27, at 10:00 (Moscow time) we will host the international online forum “You Trust IT. The path to business security! ”, Where you will learn how to secure your project, avoid external threats, minimize the risks of losing important business information and avoid losses.

    Participation is free .

    Also popular now: