These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Ransomware’ Category

K7 “Ransomware Protection” is Fighting Fit and Ready

Wednesday, July 13th, 2016

Ransomware, a nasty and, unfortunately, common subclass of malware, are really bad news. The good news, however, is that K7′s heuristic, dynamic behaviour-based anti-ransomware feature, Ransomware Protection, was “productionised” and released some time ago. We strongly believe Ransomware Protection will provide users with robust safeguards against various strains of crypto ransomware, from the past (e.g. CryptoLocker), the present (e.g. Locky) and the future (???).

Ransomware Protection_cropped.png

Ransomware Protection’s blocking logic is based on recognising and arresting fundamental changes that take place in targeted files when the ransomware’s industry-grade encryption algorithms are applied to them.

At the Virus Bulletin 2015 international security conference we demonstrated a PoC of the anti-ransomware technology in our presentation “Dead and Buried in Their Crypts: Defeating Modern Ransomware”, and explained how the technology works in some detail so that all of us in the security industry could implement an effective strategy against this highly-damaging type of malware.

Elevating a PoC to a full-blown production-level feature is a time-consuming process since many factors related to stability, false positives and performance need to be considered in an end user environment. We are delighted to have been able to develop and release an anti-ransomware jab which will boost end-user resistance to any ransomware attack. Your precious documents, images and videos should now be safe. Note, we still highly recommend that you backup your important files as the spectre of bad sectors developing on your hard drive continues to loom large.

Samir Mody, Senior Manager, K7 Threat Control Lab
Gregory Panakkal, Senior Software Architect, K7 Product Engineering Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Don’t Read That Ransomware Spam Script! Seriously Bad Story.

Wednesday, March 9th, 2016

Beware of two aggressive ransomware spam campaigns which have been active for the past few weeks.

The above screenshot of my own spam folder exemplifies the typical theme used by the new ransomware kid on the block, “Locky”, and the latest version of an established ransomware called “TeslaCrypt“.

Although both ransomware spam runs pretend to be an “Invoice”, the next stage of the infection vector for Locky and TeslaCrypt differ significantly from each other. Locky spam mails contain an attachment such as ‘scan_<number>.doc’, whereas the current TeslaCrypt spam contains a ZIP archive wrapping a JavaScript file, e.g. ‘invoice_<random alphanumeric>.js’.

The Locky DOC file contains a password-protected macro VBA script. Please note, since macros can contain malicious code they are disabled by default in Microsoft Word, and should remain so. The objective of the Locky macro script as well as the TeslaCrypt JavaScript is to download and execute the respective ransomware payload EXE.

Typical malicious spam campaigns deliver the payload directly in a ZIP attachment containing an EXE. However such attachments are easier to block at the email gateway level since they are considered “high risk”. It is more difficult to block non-EXE files at the gateway as a matter of policy, hence the Locky and TeslaCrypt attachments are more likely to get past gateway filters onto the local computer. Thereafter, given their script context rendered by standard interpreting applications, the download and execution of the ransomware payload is less likely to be blocked by behavioural protection mechanisms such as HIPS and the firewall.

K7 has robust protection at multiple levels against both ransomware campaigns, however, as always, prevention is much better than cure. In the case of spam, it is best to completely avoid emails from unknown sources, especially those which expect one to open an attachment or click on a link.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed

Scareware, Rogue AV & Ransomware

Thursday, December 31st, 2015

This is the third part of the blog series on cyber security, continuing from its second part on mobile security, focussing on the malware type that utilizes a user’s fear of data loss to extort monetary benefits, and a few precautionary steps to follow to avoid being a victim of this type of malware.

Scareware


In the modern day most malware are written for monetary gain. Scareware is a generic term to describe a category of malware which use the strong emotion of fear to force alarmed victims of an attack to pay an amount of money, typically tens to hundreds of US Dollars, to the attacker to restore normality on their computer/device.

Examples of scareware include malware which:

  1. display fake messages to the user about virus infections or system errors on the computer for which the fixing solution requires payment of a sum of money
  2. lock-down or claim to have locked-down access to some aspects of computer functionality such as use of the screen or personal documents, for which regaining access involves payment of a sum of money

Scareware typically infect users’ computers through downloading malicious attachments or clicking links in spam, or through accidentally visiting hacked websites.

As always it is important to ensure that you:

  1. Do not open emails from strangers, including fake messages from well-known companies such as FedEx or DHL
  2. Keep your operating system and third-party software, e.g. browsers and document readers, completely up-to-date with security updates. Avoid pirated software
  3. Use top-rate, genuine, up-to-date Anti-Virus software such as K7 Internet Security with strong Internet Security features such as malicious spam blocking, malicious website-blocking and browser-exploit protection

Scareware can affect both PCs (typically with a Windows operating system) as well as mobile devices (typically with an Android operating system which can be protected by K7 Mobile Security).

Rogue AV

Rogue AV or Fake AV is a subset of the scareware category of malware. Rogue AV pretends to be a legitimate Anti-Virus program which proceeds to display fake warnings of numerous virus infections on the computer.The fake warning window may steal the computer’s focus and then remain persistent with the malware preventing attempts to close it. Users are made to believe that only if they fork out a sizeable sum of money would the virus infections be cleaned up and the computer restored to a good state.

Historically Rogue AV has been associated with the use of Search Engine Optimization (SEO) poisoning which ensured that hacked websites controlled by the attackers ranked highly when trending topics were searched for in a web search engine such as Google. When the user clicked on one of these attacker-controlled links the user’s computer would get infected. Rogue AV is most commonly found on Windows PCs, but has also been known to infect MacOS computers.

Ransomware

Ransomware is a type of malware, becoming more common by the day, which denies access to your computer resources until a hefty sum is paid to the criminal gang which caused the infection.

The typical resources held to ransom are as follows:

  1. Personal documents, images, and other files – In this case the files are encrypted so that they become unusable. After the files are encrypted the ransomware displays a splash screen informing the victim of this action and demanding a ransom payment to restore the files. Recovering these files requires obtaining the decryption key from the malware syndicates for a fee amounting to hundreds of US Dollars. Payment is made through guaranteed anonymous channels such as the BitCoin network. The first major ransomware family of this type was called Cryptolocker.
  2. Device screen – In this case the screen is frozen by the malware with a ransom demand visible. The user is allowed to make the payment to unlock the screen. One prevalent family of ransomware which locks the screen is called Reveton.

Users are advised to avoid paying this type of ransom demand for the following reasons:

  1. Generating income for cyber crooks would only serve to incentivise their criminal activities, and would fuel their future attacks
  2. There is absolutely no guarantee that paying up the ransom of potentially hundreds of dollars would actually restore your files or unlock your screen

In addition to the recommendations above, to guard against Scareware in general, it is also important to ensure that you back up your important files in a disciplined fashion on external media and/or on online repositories. If you are not in the habit of backing up your files, this practice is highly recommended since data loss from a failed hard disk at a future date is a probable event, far likely than a ransomware infection.

Happy New Year!

…to part4: Passwords – Hashes to Ashes

Images courtesy of:

Adeevee.com
Huffingtonpost.com
Cloudave.com

K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader: http://blog.k7computing.com/feed/

K7 Computing’s Security Alpha Geeks Introduce Generic Anti-Ransomware Prototype at VB Conference 2015

Friday, October 9th, 2015

So last week, Samir Mody and Gregory Panakkal, security experts from K7 Computing, showcased a generic anti-ransomware framework at this year’s Virus Bulletin International Conference. It garnered quite an excited bunch of fellow security enthusiasts at Prague, Czech Republic, where the conference was held, to listen to the duo talk about this prototype.

This presentation addressed majorly on file encrypting ransomware variants. A demo followed to display the capability of this generic anti-ransomware prototype in defending ransomware through samples obtained from valid sources.

K7 Computing is extremely proud of the team behind the idea to develop a simple solution to thwart complex ransomware menace. This generic framework is on the process of being incorporated into our products, and we are super excited. We also would take this opportunity to thank our readers, for sending ransomware samples requested by them to test our prototype.

For curious souls who want extensive information on this, please find the complete slides here.

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

Tearing Down the Wall

Thursday, October 1st, 2015


In all likelihood, the ransom note above is possibly what an already overworked IT technician of a corporate network is staring at at this moment. In addition to their woes, IT administrators are now burdened with the task of dealing with Cryptowall; a troublesome breed of malware which until now restricted itself to infecting mostly home users.

With gigabytes of confidential data available on network storage devices & tormented users willing to do whatever it takes to retrieve the company’s data back, life has never been easier for Cryptowall authors. Needless to say, it is only a matter of time before things take a turn for the worse.

To enlighten our users, we have already dissected the infection vector of this category of malware, discussed the possibility of retrieving the original files, advocated that paying the ransom is a bad idea and advised that prevention is better than cure, through blog entries available here and here.

To assist our customers, researchers at K7 Threat Control Lab have come up with reinforcements in this fight against Cryptowall. We have developed a heuristic anti-ransomware prototype which will allow monitoring, identifying and eliminating this menacing enemy based on run-time behaviour.

Samir Mody and Gregory Panakkal from K7 TCL will be discussing this prototype & presenting their paper titled “Dead and buried in their crypts: defeating modern ransom-ware“ tomorrow, the 2nd of October 2015 at the Virus Bulletin International security conference held at Prague.

We hope to see you all there !!

Lokesh Kumar
K7 TCL Systems Manager

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed