“Ransomware is betting IT organizations don’t have a good backup solution,” said Dixon Greenfield, Director of Technology at Prime Communications, Inc. “There is a potent solution available to fight the toughest battle out there today.”
Thanks to our friends at Palo Alto, a strategic partner we trust, we are passing along their expertise to you.
Ransomware persists as one of the top crimeware threats thus far into 2016. While the use of document-based macros for ransomware distribution remains relatively uncommon, a new family calling itself “Locky” has borrowed the technique from the eminently successful Dridex to maximize its target base. We first learned of Locky through Invincea and expanded on qualifying this threat with the help of PhishMe. Locky has also gained enough traction to find its way onto Dynamoo’s Blog and Reddit.
Using Palo Alto Networks AutoFocus, Unit 42 observed over 400,000 individual sessions containing the Bartallex macro downloader, which in turned dropped Locky ransomware onto victim machines. Researchers suspect there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky. This blog post explores this threat further and offers recommendations on mitigating its impact.
Delivery And Installation
Palo Alto Networks telemetry showed that Locky focuses primarily on e-mail delivery through massive phishing campaigns with Microsoft Word document attachments. The subjects for these malicious messages adhere to the following convention:
ATTN: Invoice_J-< 8-digits>
The naming convention of respective malicious Word document carrier files match the e-mail subject line portion after the “ATTN: “, switch the “i” in invoice to lowercase, and append a “.doc” extension. An example follows:
Subject: ATTN: Invoice J-11256978
Our analysis revealed that this ransomware requires command and control (C2) communication for a key exchange, prior to encrypting victim files. It performs its key exchange in memory for this process. This is interesting, as most ransomware generates a random encryption key locally on the victim host and then transmits an encrypted copy to attacker infrastructure. This also presents an actionable strategy for mitigating this generation of Locky by disrupting associated C2.
Unfortunate victims unable to mitigate this threat would see the following ransom demand.
And a subsequent visit to the referenced Locky payment portal site would reveal the following options for victims.
Threat Volume And Targeting
We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined.
Industry analysis for targeting reveals expected indiscriminant distribution within impacted countries; however, Higher Education, Wholesale and Retail, and Manufacturing make up over a third of observed targeting.
Pairing this volume with the “decryption cost” advertised for Locky victims, it is clear why ransomware in general continues to thrive in the threat landscape. Using some napkin math furnished by our friends at PhishMe, even if one assumed a 50% efficacy / infection rate for these 446,000 sessions and a 1% payment rate of 0.5 bitcoins (BTC) from victims, the currently observed activity alone yields several hundred thousands of dollars in profits for Locky’s malicious actors.
Locky is aiming high in an effort to join the ranks of other big name ransomware families. Despite some weaknesses in its current implementation, we can expect to see further developments for this threat in the future. Ultimately, successes experienced by one attacker group embolden and inspire others. It goes without saying that cybercrime adversaries will continue to advance efforts to commoditize the already lucrative extortion of victims through encryption-based extortion.
Defending against ransomware first requires a focus on the basics of a strong security posture: security awareness and the hardening and patching of systems. Ransomware can be especially damaging in enterprises, where this class of threat commonly targets network shares and other media attached to corporate assets. To further reduce associated risks, layered preventive controls are a must.
Palo Alto Networks customers are protected through our next-generation security platform:
- WildFire successfully detects this threat as malware
- AutoFocus identifies this threat under the Unit 42 “Locky” tag
- The C2 domains and files mentioned in this report are blocked in our Threat Prevention product
Reprint from Palo Alto Blog Post originally published by Brandon Levene, Micah Yates and Rob Downs
It’s not a surprise that security will be incredibly tight at Super Bowl 50 on February 7 at Levi Stadium in Santa Clara, CA. The venue can fit 68,500 people, according to the stadium website. As the big event approaches, the FBI and Department of Homeland Security has labeled the event a “level one” event, which is the highest classification for national events.
To help local law enforcement, the FBI and U.S Department of Homeland Security issued a memo assessing potential threats. The agencies said: “There will be plenty of security inside Levi’s Stadium. The memo also read: “The most vulnerable targets of opportunity are not inside Levi’s Stadium itself, but outside the stadium,” retired FBI Assistant Special Agent in Charge Jeffrey Harp said.
Government security officials are examining whether recent attacks on fiber optic systems in California could be connected to a “more complex plot” against the game.A series of unsolved incidents in which fiber optic cables in the Bay Area were deliberately severed is one of several risks detailed in memo by the FBI and U.S. Department of Homeland Security intelligence analysts. The concern individuals may be using these incidents to test and prod network durability in conjunction with a more complex plot,” the memo said.
Michele Ernst, a spokeswoman for the FBI’s San Francisco field office, said there have been 15 attacks against fiber optic lines in the region since 2014. Most of the incidents occurred in San Jose, Fremont and Walnut Creek, California. Though San Jose is within five miles of Levi’s Stadium, the other incidents occurred more than 20 to 40 miles away. Adding to security concerns, Intelligence analysts also said the recent terror attacks in Paris raise the possibility that attackers would target spaces outside sports stadiums.
“There’s no question that the Super Bowl would be a highly attractive target. But so would any sporting event,” said Anthony Cordesman, a security strategist for the Washington, D.C.-based Center for Strategic and International Studies.
Security Systems In Place
Part of the city’s security strategy is to share data with the community. Most of the system is in place, according to Santa Clara CIO Gaurav Garg. For instance, the city has made public the video streams from 15 cameras trained on intersections near the stadium. The streams, available through a smartphone application and on the city’s website.
“Really it is creating a single pane of glass for multiple types of information [that can] then be visualized: where the situations are happening, where our public safety assets are, where the cameras are and what the traffic conditions are, according to Garg.