Last week, two new ransomware threats surfaced. SC Magazine reported that one was found by security firm Symantec and the other by a security researcher from cloud services provider Rackspace. Both leverage the same basic idea: Encrypt user data and then demand money to unlock the files without damage. This time, however, the malware creators are hoping to grab bitcoins.
Angling for Cash
According to a post on the InfoSec Community Forums by Rackspace security expert Brad Duncan, the Angler exploit kit is now being used to circulate new variants of the TeslaCrypt and AlphaCrypt ransomware. This new malware uses instructions similar to CTB Locker and demands up to $528 in bitcoins to unlock user files. There’s not much in the way of detail after the infection happens: Users are shown a screen that says, “Hello! All your important files are encrypted,” along with a message indicating the current cost of decryption and a bitcoin address for payment. The malware doesn’t self-reference a specific name or designation, but according to Duncan, it is very similar to CryptoLocker and “appears to be another evolution from this family of ransomware.” Over the last week, older versions of this malware have been replaced by the new variant, which uses the same hash each time but comes with a unique bitcoin address.
Meanwhile, Techworld reported that Symantec came across new ransomware that borrows from popular television show “Breaking Bad” as it attempts to extort users. First noticed in Australia, this Trojan campaign uses imagery and quotes from the TV series along with CyptoLocker.S to lock down files and demand up to $800 in bitcoins. The splash screen for this demand is inspired by a fictional restaurant chain in the show, Los Pollos Hermanos, and the payment address uses a line from main character Walter White: “I am the one who knocks.”
According to Symantec, there’s nothing particularly noteworthy about the ransomware aside from its use of TV references. Users can become infected by opening booby-trapped zip files, which open a legitimate PDF when extracted to make it seem as though nothing worrisome has occurred. Then files are encrypted using a random AES key, which is in turn encrypted using a public key. What’s interesting is that the security company would likely have overlooked this variant of ransomware if it weren’t for the “Breaking Bad” theme, which garnered some attention online. Now that companies are aware of the threat, however, its reach and impact are significantly reduced.
Despite new skins and the focus on bitcoin over other forms of payment, these two pieces of ransomware aren’t exactly novel or innovative. In fact, most companies have become largely inured to the worry of an encrypted attack by taking the time to back up critical files either on-site or in the cloud. But the continued recycling of old CryptoLocker code speaks to the effectiveness and simplicity of this threat vector since even the occasional success is worth repeated failure. For users, the message is simple: Ransom-based malware hasn’t gone away, it’s simply out of sight. The trick to staying safe? Don’t open files from strangers, and always know who’s knocking.