“In the last week Symantec has observed a new spike in ransomware activity being seen worldwide,” warns Symantec today. “While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is Trojan.Ransomlock.Y.” Ransomlock is primarily distributed via pornographic websites sending the user to the Impact exploit kit.
On Friday, Fortinet issued a similar warning. Its researchers have discovered “a new strain of ransomware that’s sourced to the Sasfis botnet, notorious for distributing FakeAV.” Fortinet comments, “it’s a nasty piece of malware that will require a lot of time, effort and cost to undo should it make its way onto a victim’s machine. And with Sasfis behind it, researchers expect it will propagate rapidly to give its financers an exponential boost.”
Earlier this month it was revealed that the new Cool exploit kit was developed by the same criminal gang that developed Blackhole, and that Cool has a budget of $100,000 to buy and develop new exploits. Both Cool and Blackhole are used extensively to deliver the Reveton ransomware.
Ransomware is clearly an increasing and serious threat. It usually prevents use of the computer under the guise of being an official warning from the local law enforcement agency, and demanding payment of a fine for release. The messages are becoming increasingly sophisticated. “They even quote real laws, and explain the potential fine if you are prosecuted (for example, up to €100,000),” Luis Corrons, the technical director at PandaLabs told Infosecurity. “The fake crimes you are accused of go from having illegal media (music, films) to zoophile or child pornography.”
Some of the newer versions ‘lock’ the computer by encrypting key parts of the operating system and making it unusable. But, continued Corrons, “As some antivirus could break the encryption and release the files, the criminals changed to a more sophisticated technique using server-based encryption; and the only way to decrypt files in this state is to get the key from the criminals. So even if you remove the infection, you have still lost all your information.”
But everyone agrees that despite the threat, users must not pay the ransom. “If you are a victim of a ransomware extortion scam, the golden rule is not to pay the ransom to the cybercriminals”, warns Symantec. “Payment in no way guarantees that your computer will be unlocked and can be a costly mistake.” All it does is give the criminals your bank card details.
The best advice is not to get infected in the first place. Religiously patch all software as soon as patches become available. This will lessen the threat from the exploit kits. Use a mainstream anti-virus and keep it up to date. This will increase the likelihood that any infection is trapped and removed before it can do any damage. But above all, avoid clicking any dubious or untrusted links in emails.