RSA Monthly Online Fraud Report -
Transcription
RSA Monthly Online Fraud Report -
RANSOMWARE: INFECT ME NOT June 2012 RSA researchers have been following ransomware campaigns and ransomware Trojan attack waves and have recently analyzed a new variant that holds infected PCs hostage until their owners make a €100 payment to the botmaster. The more interesting part of this malware’s operations is its location – what appears to be a server most likely orchestrating botnet monetization and affiliate infections deals. Ransomware is the type of malware that can infect a PC and then lock the user’s data most commonly by encrypting files or by injecting a rogue MBR (master boot record) to the system’s start-up routine. Ransomware can come as standalone malicious code or coupled with other malware. This type of malicious campaign has been on the rise and are ever popular, with many recent cases combining banking Trojans with ransomware. While the user’s files are typically locked until the ransom is paid, the victim is still free to browse the Internet, thus allowing the banking Trojan to continue collecting information on the victim uninterrupted. The Trojan involved in the cases studied by RSA is a ransomware that begins by checking for the future victim’s geo-location and adapting a ransom page to the local language for thirteen different countries. The fact that this malware aims at 13 specific countries may seem targeted enough at first sight, but it is only the case of one variant – if this malware is shared or sold with other criminals, they could easily adapt it to their own targets. FRAUD REPORT ANALYSIS OF A RANSOMWARE KIT The Trojan encrypts the end-user’s personal data (documents, photographs, etc.) and then demands they pay to receive an unlock code for their system. Once the user pays with a valid PIN/voucher – the botmaster actually sends back an unlock command and releases the hold on the PC. Unlocking the PC is a rare occurrence in cybercrime. Most ransomware botmasters do not have any set-up designed to unlock the PC. Of course, this case is not an indication to an honorable thief, but rather to a cybercriminal planning to possibly re-monetize that bot in the future. Researchers at RSA Trojan Labs obtained and ran the malware’s executable binary and confirmed that although it begins with typical ransomware deployment, it promptly moves to checking the victim’s geographic location. In order to define the location of the infected machine, the malware uses a Windows function called GetUserGeoID (on the user’s level this can be accessed via Control Panel->Regional and Language Options->Location). Although this method is simple, it is efficient and rarely deployed by other similar Trojans. The malware converts the country name to a unique 3-character ID and then uses that code in its GET request to the C&C server for a customized ransom message to the victim. The Trojan receives back the country-specific page on the fly. Unlike other ransomware variants, this malware downloads an archived file (PK header) containing one main HTML page, JS/CSS files and the ransom-demanding image presented to the victim. RSA researchers were able to recognize 13 different ransom kits available for this Trojan. All kits are located in the same folder, where some countries have two different types of images that can be downloaded and used by the ransomware (in cases when more than one language is spoken in that country, such as Belgium). After the ransomware kit infected the PC, it was downloaded and unpacked locally. This is the point at which the Trojan begins its primary communication with the botmaster’s remote server. The communication includes three main purposes: –– Inform the botmaster of the addition of a new bot, send infected machine’s IP address (and then used to define the infected PC’s physical location) –– Obtain a blacklist of potentially fake prepaid card/voucher numbers defined by the botmaster –– Ping the botmaster to use the C&C as a drop for the coming ransom payment (in the shape of a card PIN/voucher number) This Trojan also makes a few copies of itself and saves them under different names locally on the infected PC. RANSOMWARE’S CYBERCRIME SERVER SIDE Much like other Trojans, this ransomware is managed via server side scripts on the botmaster’s resources. The variant analyzed in this case used four resources, all of which were located on the same physical server, using two different IP addresses held with a Russian-based ISP – typical for the vast majority of ransomware. RSA was able to deduce that the ransomware analyzed is actually part of a larger cybercrime operation. The botmasters behind this malware variant are clearly bot-herding and monetizing their botnets using a loader Trojan, banking Trojans and ransomware variants. The server hosting the ransomware has proven to also be a drop zone for stolen credentials amounting to well over €80,000. page 2 EVEN MORE RANSOMWARE An additional type of ransomware found on the same server was targeting German consumers, instructing victims to pay €100 for an unlock code. The message informed the victim that their system was infected due to infringement and is now locked using strong AES-256 encryption. The locker claims that the only Anti-Virus software that can clean the system is “Antivirus System Repair v2.2”/ “Antivirus Harddisk Repair v2.2”, the fake name used by the cybercriminals. Infected PC owners are told they are to purchase a prepaid card/voucher for €100 and make the payment to: systemantivirus@yandex.ru. Open source search results for this malware and email show that it was used vastly in recent ransomware infection campaigns. Ransom Message Presented to Users of Infected Machine, Demanding €100 Payment for Fake AV CONCLUSION Ransomware has been gaining speed among cybercriminals and bot-herders, likely because this extortion method works and keeps paying off, as victims believe that if they pay, their system will be unlocked. With ransom amounts averaging €100, it seems as though botmasters behind these scams keep the fee relatively low, possibly so that the victim may prefer to pay it in hopes of releasing the hold on their PC rather than contact a support professional. Another factor keeping victims quiet are typical ransomware accusations, including things such as software and music infringement. It is very possible that users do not know they were infected by malware and are not keen on contacting someone about it, thus allowing this type of malware to enjoy its continued popularity. page 3 In May 2012, phishing volume increased by seven percent, with a total of 37,878 global attacks identified by RSA. The bulk of the increase observed in the past two months is a result of highly targeted phishing campaigns launched against a small number of financial institutions. 38970 40000 37878 35558 35000 30000 25191 25000 23097 29974 28365 26907 Source: RSA Anti-Fraud Command Center Phishing Attacks per Month 24019 22516 21119 21030 19141 20000 15000 10000 5000 376 351 321 300 313 303 281 281 Jan 12 Feb 12 300 298 288 298 Source: RSA Anti-Fraud Command Center 349 350 256 Number of Brands Attacked The number of brands targeted by phishing attacks throughout May increased by four percent, and fifty percent endured less than five attacks. May 12 Apr 12 Mar 12 Feb 12 Jan 12 Dec 11 Nov 11 Oct 11 Sept 11 Aug 11 Jul 11 Jun 11 400 May 11 0 250 200 150 100 50 0 May 12 Apr 12 Mar 12 Dec 11 Nov 11 Oct 11 Sept 11 Aug 11 Jul 11 Jun 11 May 11 page 4 US Bank Types Attacked 12% 11% 10% 19% 6% 14% 9% 6% 19% 3% 12% 9% 16% 76% 69% 67% 61% 69% 74% 75% Aug 11 Sept 11 Oct 11 Nov 11 13% 21% 30% 86% 68% 76% 58% 82% 62% May 12 12% Apr 12 25% Mar 12 20% Feb 12 23% Jan 12 20% 20% Dec 11 12% Jul 11 80 Jun 11 Phishing attacks against U.S. nationwide bank brands decreased by 20 percent while credit unions saw a 13 percent increase in phishing volume in May. 7% 11% 18% 60 40 20 0 Source: RSA Anti-Fraud Command Center 100 May 11 Brazil 2% a Australia South Korea Canada China Germany Colombia 1% UK Canada 3% Top Countries by Attack Volume After being targeted by 28 percent of worldwide attacks in April, Canada saw a huge drop in attack volume in May to just three percent. The UK remains the most heavily targeted country for the third consecutive month, enduring more than 60 percent of global phishing volume in May. 42 Other Countries 6% United Kingdom 63% U.S. 25% page 5 a US ChinaChina 3% S Africa France 3% Italy Canada Netherlands India Bras Italy 3% Canada 3% Top Countries by Attacked Brands India 4% The countries with the most attacked brands in May were the U.S., UK, and Australia, accounting for 47 percent of all phishing attacks. Brands in Brazil, India, Canada, China, France and Italy also continue to remain highly targeted by phishing. Brazil 4% 38 Other Countries 33% Australia 5% United Kingdom 11% U.S. 31% Portugal 1% France 1% a US Spain 2% S Africa China Italy Canada Netherlands 1% Netherlands India Japan 2% Canada 2% Top Hosting Countries The U.S. saw an increase of ten percent in the number of phishing attacks it hosted in May – increasing to 66 percent, or two out of every three attacks. Brazil also remained a top host with nine percent and Germany with four percent. U.K. 2% Germany 4% Brazil 9% U.S. 66% 60 Other Countries 10% page 6 Bra CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa www.emc.com/rsa ©2012 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. JUN RPT 0612