Erich’s “What in the (cyber security) world is going on?” 01-26-17 edition

Lots of new stuff happening this week in the ransomware side of the house. In addition, you still need to be watching for W2 scams as they are starting to get reported. Having said that, here is my wrap up from the last week.


Facebook users hit with “You are in this video?” malware scam

Scammers are always looking for ways to get you to click on things. This one can prey on your fear of stupid things you may or may not have done on camera. Not saying this would get to me, but there might still be a video of me singing, “Any man of mine” during a tequila-fuel karaoke session a number of years ago. We all have that moment, right? Even if you don’t care to admit it, we are curious about what we may be in, and the scammers are using this to get to you click on malicious links, in this case phishing for credentials. Be careful folks.


Android Ransomware Locks Phone and Asks for Credit Card Number

Fortinet researcher Kai Lu, discovered this new threat. It appears to be targeting only Russian-speaking users, but it demands a HUGE ransom of about $9100 (545,000 Russian rubles) via credit card. I’m going to take a quick look in my crystal ball and say that I don’t expect this to actually work. You can buy a LOT of phones for $9100, and would you trust them with your credit card number? Yeah, no. Who knows though, perhaps it’s demonstrating a proof of concept.


Xiongmai messed up again, exposing installer passwords for a bunch of DVRs

Xionmai’s 2017 list of superuser passwords for certain DVRs was found on a LinkedIn page. This list is designed only for CCTV installers to access customer installations and is essentially a one-time pad or per-day superuser password for their DVR service. It appears to only impact versions sold in China, but it’s representative of the security practices of the org.


The St. Louis Public Library got hit by ransomware

They didn’t pay, but it messed things up for a couple of days. I can’t imagine the tension in the libraries over the couple of days this was going on. Hell hath no fury like a librarian slightly annoyed!



Delaware Blue Cross Blue Shield customer records got hit with ransomware

19,000 records were impacted. Because it’s healthcare, it’s considered a breach by the HHS. Not a fun thing. Reading between the lines, I would have to guess that the data was not encrypted when the ransomware hit, otherwise they could argue the breach classification down.


Houston, we have a problem… Data breach reported at Houston area Popeye’s

Popeye’s got, well… popped. Malware was found on computer systems at seven Houston area locations. It looks like it was there between May 5, 2016 and August 18, 2016.


New Satan Ransomware available through RaaS.

 A security researcher, Xylitol, discovered a new Ransomware as a Service, or RaaS, called Satan. This is a profit-sharing type of ransomware, kind of like a bad lawyer in the fact that if you don’t win, you don’t pay. RaaS developers take a 30% cut, and the scales slides down from there based on number of infections. RaaS means that scammers don’t have to have many skills to spread this sort of ransomware. We will start seeing a lot more of this moving forward.


Everyone’s least favorite ransomware is back and testing new infection tactics

One new Locky campaign is being called ‘Double Zipped Locky’ where the idea is to hide their malicious payload in a Zip file within a Zip file, hoping that the victim will think they’re opening a document. It also drops the Kovter Trojan which remains on the infected system and is used to run click-fraud and malvertising campaigns.

The second one is an email posing as a failed bank transaction with a .rar file containing a malicious Javascript file that downloads Locky and installs it.


USB Sticks Could Infect Your Network With New Spora Ransomware Worm

There is some interesting new info out about Spora. This ransomware offers an option of future immunity (for a fee), does not need a C&C server so blocking outbound communication doesn’t help, but the new stuff is, it adds the ‘hidden’ attribute to files and folders on the desktop, the root of USB drives and the system drive. These files and folders are now hidden by the standard folder options. It then makes Windows shortcuts with the same name and icon as the hidden files and folders. The .LNK files open the original file while also executing the malware and the worm. Pretty tricky.

It looks like Spora is the variant that hit a nursing school recently.  An instructors files were unreadable on home PC, so he brought them in on a USB drive to try it on a work machine. It did not end well.


Argyle School District Employees Hit with W2 Scam Data Breach

A school district in Argyle, TX got hit with a W2 scam that looked like it came from the District Superintendent. The email requested the 2016 W-2 information for all employees of the district and the employee sent it. This really happens folks, and now all of these people are at risk for fraudulently filed tax returns and identity theft. We need to spread the word about this, especially this time of year.

There is a new spam campaign spreading Sage 2.0 ransomware 

Sage 2.0 is demanding a $2000.00 ransom and is being spread by the RIG and Sundown exploit kits. This is also exfiltrating the data hidden inside a .png image by  steganography. I have been saying that I expect to see more strains doing data exfiltration, and this is an example of that.

Stay safe out there folks!

Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army 2nd Regional Cyber Center-Western Hemisphere.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.