Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Ransomware-as-a-Service Speaks To Victims (csoonline.com)

Posted by timothy on from the gps-was-bad-enough dept.

itwbennett writes: Cerber, a new file-encrypting ransom ware, has a couple of interesting features. First, according to cyber intelligence outfit SenseCy, it is available for sale 'as a service' on a private Russian-language forum, which makes it 'available to low-level criminals who might not have the coding skills or resources to create their own ransom ware,' writes Lucian Constantin. Second, one of the 3 files it drops on a victim's desktop is a VBS (Visual Basic Scripting) file containing text-to-speech code that converts text into an audio message. 'When the above script is executed, your computer will speak a message stating that your computer's files were encrypted and will repeat itself numerous times,' said Lawrence Abrams, administrator of the technical support forum BleepingComputer.com, in a blog post.

40 comments

  1. It sounds like you want to buy your computer free by Anonymous Coward · · Score: 0

    do you need assistance? Here is a map with the shops where you can aquire Bitcoin.

  2. VBS text-to-speech script by Anonymous Coward · · Score: 0

    WOW! That shit's gonna run GREAT on my Gentoo box!

    1. Re:VBS text-to-speech script by Anonymous Coward · · Score: 0

      Mac users have nothing to worry about here either.

      Actually, since this appears to be a Trojan, any user who doesn't run stuff will be safe for now... but I'm sure this stuff will start being spread by malvertising so it will hit everyone eventually, especially sites which demand that one's ad blocker be shut off before they deliver content.

      Funny thing, I cannot really blame the malware writers. Without the extensive advertising partners who guarentee their software will be spread far and wide, they would at best be something one would encounter on a warez site at best. However, with today's advertisers, any malware can be shoved at the world, with plenty of plausibile deniability to go around.

  3. Wow... by Anonymous Coward · · Score: 1

    They basically made Clippy for their ransomware...

    It's a friendly thief...

    [tap tap] "Hi, I just encrypted all your files and for the low price of $20 I'll give them back to you (we take paypal!)"

    1. Re:Wow... by TheRealMindChild · · Score: 1

      It probably uses the same technology (Microsoft Agent)

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  4. O no ... not again, please! by Anonymous Coward · · Score: 0

    Back in the mid / late 1990ies one could hear "You have new mail." from far too much office PCs.

    Now this.

    THAT'S NOT FUNNY! >;->

    1. Re: O no ... not again, please! by Anonymous Coward · · Score: 1

      Obviously you haven't heard it enough times, as the correct phrasing "you've got mail" isn't yet etched into your soul.

  5. The more it changes.... by ls671 · · Score: 0

    The more it changes, the more it is the same.

    --
    Everything I write is lies, read between the lines.
    1. Re:The more it changes.... by Anonymous Coward · · Score: 0

      just like hipsters..

  6. Ha Ha by Anonymous Coward · · Score: 1

    Say it isn't so...

  7. Re: It sounds like you want to buy your computer f by Anonymous Coward · · Score: 0

    Since bitcoin is going to shit, they'll have to change it to pulling up Google maps and showing you the nearest location that has Western Union.

  8. Two simple measures... by jcr · · Score: 0

    1) Keep backups.
    2) Don't run Windows.

    Problem solved.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
    1. Re: Two simple measures... by Anonymous Coward · · Score: 0

      That's not a solution. Windows products top any other os installation globally especially for smallbusinesses.

    2. Re: Two simple measures... by Anonymous Coward · · Score: 0

      Somehow, I think you're confused. I think Android took that crown while you weren't looking.

    3. Re: Two simple measures... by Anonymous Coward · · Score: 0

      I hope you didn't strain yourself coming up with this novel solution.

      -notjcr

    4. Re: Two simple measures... by chipschap · · Score: 1

      "Keep backups" is certainly a solution if done diligently. Of course, it's stating the obvious to say that this is often not the case.

      As to suggestion 2 and the response, I realize zillions of small businesses run Windows. We could get into a long discussion about whether they have to do so (my thought is that it's truly necessary only sometimes) but yes, they do, so they better learn good security practices. That's the real solution.

    5. Re: Two simple measures... by interval1066 · · Score: 1

      Not so much any more. People are starting to pull away from office, which was the overriding factor for windows, to cloud-based stuff. Don't even use windows for my work machine.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    6. Re: Two simple measures... by Anonymous Coward · · Score: 0

      Agreed. I pulled away from Windows when the abomination that was Windows 8 became known. FreeBSD/OpenBSD and online stuff or even LibreOffice should I need to format a CV or something.

    7. Re: Two simple measures... by mlts · · Score: 3, Interesting

      The problem is that keeping backups is a lot more difficult than it was in the past, when one could buy a tape drive, have it toss files there, physically write protect the cartridge, and keep that in a safe place.

      The typical consumer/business backup mechanism is usually either dumping to a file share, dumping to an external HDD, a copy to a cloud drive, or a copy to a cloud provider. All of which ransomware like this can stomp on, just by overwriting/encrypting backups. A cloud provider -might- have some backlevel versions, but they likely might just only have at most 30-90 days worth of files. That SAN with all the replication doesn't do much good, as it will replicate the rm and encrypted files.

      The ideal way to combat this is a program running on another machine which pulls the data. Something that runs on another machine and does a function similar to:

      ssh foohost ' ( cd /home ; tar cvf - * ) ' | zbackup --password-file ~/mysecret backup /some/fs/zbackup/backups/homedirbackup.tar

      Of course, adding date/time variables is left as an exercise to the reader... However, doing this not just ensures that ransomware can't touch the machine where the backups are on, but allows files to be backed up as often as one wishes, with only changes being saved. This is the only real defense to ransomware, and not often done.

      On the Windows side, programs to fetch data from clients are expensive (no SSH), the cheapest is probably Windows Server Essentials (descendant of Windows Home Server) which can fetch and store client data.

    8. Re:Two simple measures... by Anonymous Coward · · Score: 0

      Running backups is not a good option unless it's easy/automatic. Making a snapshotting filesystem not only available, but the default for Windows would cure this for the most popular OS. (And "don't run Windows" is stupid/not an answer, even though I personally haven't run Windows as anything but an isolated partition for running propietary apps, ever, in 30 years).

    9. Re:Two simple measures... by CanadianMacFan · · Score: 1

      1) Run backups
      2) Verify that they are working on a regular basis
      3) Stay away from Windows

      The second step is the most important. Just having the backup process come back without an error doesn't mean that you are safe. If you can't get your files from a backup then they aren't backed up!

    10. Re: Two simple measures... by Anonymous Coward · · Score: 0

      doing this not just ensures that ransomware can't touch the machine where the backups are on, but allows files to be backed up as often as one wishes, with only changes being saved. This is the only real defense to ransomware, and not often done.

      One can do that one better by adding a few "flytrap" documents with different file extensions and formats of the type ransomware likes to attack (Word, Excel, JPEG, etc), and any differential backup which detects one of them has changed should (1) mark the prior backup for preservation to avoid deletion on the normal schedule, and (2) generate an alert/notification.

      This could be defeated if ransomware ever became smart enough to only encrypt files changed recently, but the user wins this arms race using a script which frequently updates the flytrap document using a predictable algorithm that the backup can verify.

    11. Re: Two simple measures... by Anonymous Coward · · Score: 0

      Backup that can be overwritten too soon, is not a proper backup.

    12. Re: Two simple measures... by Anonymous Coward · · Score: 0

      "The problem is that keeping backups is a lot more difficult than it was in the past." That statement is wrong. I do weekly backups to two USB HDDs that are alternated. One resides off-site. These drives are only connected when doing backups (I have not needed to restore any data yet). I also use a 64 GB flash drive for backup purposes. It is only connected when doing backups. Only my files are backed up, not any OS files at all.

      My important files are also copied onto the HDDs of two laptops, one of which is never connected to the Internet. I can reinstall my OS of choice from DVD, so no need to back up the OS files.

    13. Re: Two simple measures... by Anonymous Coward · · Score: 0

      Encrypt all the users files. But still allow access thru an online key automatically.

      Wait 6 months until you are sure all their files are encrypted. Backed up or not.

      And then pull the key.

      encrypted pc. backups infected too. pay up.

    14. Re: Two simple measures... by JoeMerchant · · Score: 1

      Nothing is stopping any organization from purchasing physical multi-TB external hard drives and using them like fast, reliable tapes.

    15. Re: Two simple measures... by Anonymous Coward · · Score: 0

      The problem is that you expose yourself to delayed malware. There are ransomware utilities which encrypt files, but keep the keys around for a week to a month, so people think their documents are OK... then comes zero hour, and the ransomware notice. Now most people's backups with two HDDs are now shredded, and Mozy has purged the unexpired documents.

      I would agree that backups are harder to keep. External drives are not backups. Malware deciding to encrypt those drives just means you now have hosed backups as well as hosed original documents. Remember: Malware is, without a doubt, the best functioning software in existance with the least amount of bugs. The bad guys don't want you to have backups, and each generation of malware goes further to destroy backups. So, you can't trust -anything- on the client machine when doing a backup. You want to have a server to go out , fish the files, and stash them, so the client can only either drop the connection, or send corrupted data. Existing backups would be protected.

      People don't think malware is an issue... but with ad makers declaring war on blockers and malvertising being the #1 infection vector, it just might be you and your business that gets nailed.

    16. Re: Two simple measures... by scarboni888 · · Score: 1

      This only works if the only machine or machines that access the files are infected with the same ransom/malware sharing the same keys.

      In a multi-user environment sharing network drives the infected machine may still be able to read the encrypted files but any other machines which have not been simultaneously infected using the same coordinated key (more than likely the case) will immediately run into encrypted files then you have plenty of time to get the data back from backups.

    17. Re: Two simple measures... by wbr1 · · Score: 1

      30 to 90 days is plenty. No different than an earlier write protected backup tape in terms of utility forbdata recovery. If you get a crypto virus and wait 30 days before attempting a fix, well, you deserve what you get.

      --
      Silence is a state of mime.
    18. Re: Two simple measures... by Anonymous Coward · · Score: 0

      I think you're an idiot

  9. Horseshit! by Anonymous Coward · · Score: 0

    ransom32 is javascript ransomware. It hasn't targeted/hit Linux yet.But, that doesn't mean that it couldn't target Linux and Mac tomorrow.

  10. thanks slashdot by Anonymous Coward · · Score: 2, Informative

    i posted this and it had a red icon.... and you chose to promote a duplicate to the frontpage that had a blue rating and also attached a CSOOnline link that did nothing than to hop on the work of Lawrence Abrams from Bleeping Computer... fuck off ... stop promoting that CSSOnline shit already.... do you guys have a contract with IDG or something?

  11. Thing of the past I tells ya! by Anonymous Coward · · Score: 0

    The government will swoop in and save us all by requiring these ransomeware schemes include backdoors in their encryption :D

  12. There's also paper-based ransomware by penguinoid · · Score: 3, Funny

    Have you heard about the paper-based ransomware that's been going about the USA? It automatically searches for papers containing images of presidents, and locks them up, preventing you from accessing them. It supposedly offers you a way to unlock them again, but in reality that's just a waste of time. It's called the Civil Asset Forfeiture Trojan, and seems to have infested many government agencies.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  13. Not really text-to-speech code by omtinez · · Score: 1

    I went into the linked blog post to see what this text-to-speech code (in a vbs script no less!) was all about, and it turns out it's just a couple of lines calling Windows' SpVoice interface. Quite disappointing.

  14. Like a Clippy for Ransomeware by Anonymous Coward · · Score: 0

    It looks like you're trying to access your data. I can help you with that.

    For a price.

  15. It's about time! by scarboni888 · · Score: 1

    By 2016 ALL software should cater to accessibility needs - regardless of its status malware or not.