Connect with us

Cyber Security

Locky Ransomware Trojan Spotted this August 2018

Avatar

Published

on

New Rabbit ransomwareReading Time: 4 minutes

Locky Ransomware

New Ransomware, Botnet Threat: IKARUSdilapidated Attack is August ’17 Locky Rebirth

New ransomware

A Special Update from the Comodo Threat Intelligence Lab

trojan email

A new August 2018 ransomware campaign began on August 9th and is attacking unsuspecting users around the world. First detected by the Comodo Threat Intelligence Lab, this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations’ infrastructures.

Within just the first few days of the coordinated locky ransomware attack, tens of thousands of users were being targeted by a simple-looking email with an attachment and little to no content in the email body. The attachment is an archive file, with the name “E 2017-08-09 (580).vbs,” (for each email, “580” is an ever-changing number and “vbs” is an ever-changing extension).

trojan files
The attached file names are similar, but the extension is a .doc, zip, pdf, or image file (a .jpg ,or tiff). The attachment actually downloads “IKARUSdilapidated,” the newest member of the “Locky” ransomware family. Named for the appearances of “IKARUSdilapidated” in the code string, it is clearly related to the “Ransom Locky” Trojan and shares some of its characteristics.

Social engineering is used to get the user to click and when the user does as instructed, the macros then save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions, including the common ones on most machines. After encryption, a message displayed on the user’s desktop instructs them to download the Tor browser, which is popular because it allows for anonymous browsing, and to then visit a specific criminally-operated web site for further information.

The web site contains instructions that demand a ransom payment of between 0.5 and 1 bitcoin (currently, one bitcoin varies in value between 500-1000 Euros) to release the now-encrypted files to (hopefully) decrypt their files.

trojan file

Phishing and Trojan experts from the Comodo Threat Intelligence Lab (part of Comodo Threat Research Labs) detected these new “Locky” ransomware attacks and verified that they began on August 9th with more than 62,000 instances of phishing emails having been detected at Comodo-protected endpoints within just the first three days. The attachments were read as “unknown files,” put into containment, and denied entry until they were analyzed by Comodo’s technology and, in this case, the lab’s human experts.

The Threat Intelligence Lab’s analysis of the thousands of emails sent in the phishing campaign revealed this attack data: 11,625 different IP addresses in 133 different countries are being used to perform this campaign. The countries housing the most attack servers are Vietnam, India, Mexico, Turkey, and Indonesia.

The team checking the IP range owners saw that most are telecom companies and ISPs. This indicates that the IP addresses belong to infected, now compromised computers (also called “zombie computers”). This quantity of servers can only be used for a specific task if they are formed into a large bot network, or botnet, and have a sophisticated command and control server architecture. This means the description of the elements of this August 2017 malware attack now includes the term “botnet,” in addition to ransomware, Trojan, and phishing attack.

It also shows the increasing sophistication, organization, and size of new ransomware attacks and adds more credence to the call to act from security experts everywhere to “adopt a default deny security posture” and deny entry into your IT infrastructure to new, “unknown” files.

Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL), said, “This latest ransomware phishing attack that commenced on August 9th was unique in its combination of sophistication and size, with botnet and over 11 thousand IP addresses from 133 countries involved in just the first stage of the attack. When artificial intelligence couldn’t identify these unknown files, the full resources of the lab were needed to perform locky ransomware analysis to identify the code in the file and render a verdict; in this case the verdict was “bad” and we’ve now added it to our blacklist and malware signature list.“

Orhan went on to state, “Using ‘default deny’ security with containment of unknown files is what protected our users from this new ocky ransomware threat. Even ‘default allow’ plus the latest machine learning algorithms and A.I. would not have been sufficient to prevent infection.”

He added that botnets, like the one created in this attack, were particularly powerful weapons for criminals to use to scale their ransomware attacks and that by building on previous cyberattack Trojans like 2016’s “Locky,” it is getting easier to develop higher end ransomware that will not be recognized as “bad” by leading endpoint protection platforms.

Technical Analysis – A Deeper Dive
If you’d like to know more about this threat and dive deeper in the code and how the attack was deployed, read the new “Comodo Threat Intelligence Lab SPECIAL REPORT: AUGUST 2017 – IKARUSdilapidated.“ This special report and its appendix include:

  • The Comodo Threat Intelligence Lab technical analysis of a contained sample of IKARUSdilapidated
  • The scripts run during execution
  • More detail on the extensions and locations of the servers used in the attack

This Special Report and the prior quarters’ Comodo Threat Research Labs Threat Report can be found in the Reports area at https://www.comodo.com/resources/

____________________________________________________________________________________________________________

Related Resources:

TEST YOUR EMAIL SECURITY GET YOUR INSTANT SECURITY SCORECARD FOR FREE Source: https://blog.comodo.com/comodo-news/new-locky-ransomware-trojan-spotted/

Cyber Security

Shift Left Is Upon Us

Avatar

Published

on

Ep.179

Add bookmark




Shift Left is upon us. In the past few weeks and few months we’ve published demos, event sessions, webinars and whitepapers all sharing how organizations can embed security earlier on in the DevOps process. To ensure code is delivered securely and on pace with the speed of the business, developments teams are carrying an additional responsibility of securing their code prior to it being pushed to production. Jim Routh discusses his thoughts on TF7.

Episode Overview:

One of the most respected Cyber Security Professionals in the world and Former CISO of Mass Mutual, Aetna, KPMG, DTCC, and American Express, Mr. James Routh appears on Episode #179 of Task Force 7 Radio to break down what companies should be doing to defend themselves against supply chain attacks and how CISO’s should be thinking about their DevOps programs moving forward. Mr. Routh also gives his thoughts on how the new U.S. administration should shape Cyber Security Policy and if the newly announced sanctions against Russia went far enough to be a successful deterrent against future attacks. We wrap up the third segment of the show getting his thoughts on the Cyber Security job market and the talent war, as Mr. Routh breaks down what employee retention should really look like.

Listen Now:

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.cshub.com/executive-decisions/articles/shift-left-is-upon-us

Continue Reading

Cyber Security

4 Innovative Ways Cyberattackers Hunt for Security Bugs

Avatar

Published

on

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://threatpost.com/4-ways-attackers-hunt-bugs/165536/

Continue Reading

Cyber Security

QR Codes Offer Easy Cyberattack Avenues as Usage Spikes

Avatar

Published

on

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://threatpost.com/qr-codes-cyberattack-usage-spikes/165526/

Continue Reading

Cyber Security

Pulse Secure Critical Zero-Day Security Bug Under Active Exploit

Avatar

Published

on

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://threatpost.com/pulse-secure-critical-zero-day-active-exploit/165523/

Continue Reading
Esports13 mins ago

Epic adds iHeartRadio, Krita, and more apps to its launcher

Esports17 mins ago

When is the Destruction of Verdansk Part 2 in Warzone?

Esports19 mins ago

Live-Action Call of Duty: Warzone Season 3 Trailer Released

Aviation19 mins ago

This Concept Allows You To Expand The Width Of An Aircraft Aisle

Esports19 mins ago

League players raise more than $7 million for charity with Elderwood Ornn fundraiser

Esports36 mins ago

The Battlefield franchise is expanding with 2 new Battlefield ‘experiences,’ DICE’s GM says

Esports38 mins ago

Warzone New Map Seemingly a Reskinned Verdansk

Esports40 mins ago

Battlefield is Getting a Mobile Adaptation in 2022

Esports44 mins ago

Riot plans to set stronger punishments for queue dodging and AFKs in League

Energy51 mins ago

Duke Energy to hold annual shareholders meeting online May 6

Esports55 mins ago

Fnatic CS:GO adds sixth man in Peppzor, switches JW’s role

Energy56 mins ago

Envision Group launches green charging robot “Mochi”, the world’s first mass-produced charging robot 100% powered by green electricity

Energy1 hour ago

JinkoSolar se une al Pacto Mundial de las Naciones Unidas

Energy1 hour ago

Taseko Announces 2020 Sustainability Performance

Energy1 hour ago

New Jersey Developer Goes Green

Aviation1 hour ago

Emirates Suspends Flights To India Amid Rising COVID Cases

Esports1 hour ago

New ‘Bold’ Main Series Battlefield Game Details Revealed

Esports1 hour ago

O PLANO’s dream is closer to reality as negotiations intensify

United Kingdom
Esports1 hour ago

Endpoint acquire mezii

Sweden
Esports1 hour ago

fnatic sign Peppzor as sixth man

Blockchain1 hour ago

Which crypto exchange platform is faster, coin transfer or Godex?

Aerospace2 hours ago

New stealth bomber will rival USAF’s B-21 Raider, China claims

Aviation2 hours ago

Not Dead Yet – The Three Airlines Still Flying The Boeing 717

AR/VR2 hours ago

Magic Leap 2 Rollout Begins Late 2021, General Availability Early 2022

Crowdfunding3 hours ago

Sustainable Startups: allplants – Making Plant-Based Living the Future

Cannabis3 hours ago

Absolute Nature CBD Review

Esports3 hours ago

ESL updates event calendar, with Cologne as the first LAN tournament

Aviation3 hours ago

Southwest Reports A Profit For Q1 While Alaska And AA Face Losses

Energy3 hours ago

Energy Harvesting with Bluetooth 5.0

Esports3 hours ago

Sources: LEC teams won’t be required to have an academy team in 2022

Trending