A new strain of Gojdue ransomware, dubbed ShurL0ckr, has been found on the dark web. Discovered by Bitglass and Cylance, the malware managed to evade being flagged by two well-known cloud platforms with built-in malware protection, Google Drive and Microsoft Office 365 – and it’s not alone in that capability.
ShurL0ckr is a zero-day ransomware-as-a-service that works the same way as the well-known Satan ransomware: Hackers pay a percentage to the author after generating and distributing a ransomware payload that encrypts files on disk.
Worryingly, Bitglass also tested the malware on VirusTotal and found that only 7% of the 67 tested AV engines successfully detected the new malware.
To further analyze the proliferation of malware in the cloud and determine how common Gojdue’s evasion capabilities are, the Bitglass Threat Research Team also scanned tens of millions of files, discovering a high rate of infection in cloud applications and a low efficacy rate for apps with built-in malware protection. In its report, it noted that a full 44% of scanned organizations had some form of malware in at least one of their cloud applications. Put another way, the average organization held nearly 450,000 files in the cloud, with 1 in 20,000 containing malware.
The analysis also found that, on average, one in three corporate instances of SaaS apps contained malware. Of four popular SaaS applications – OneDrive, Google Drive, Box and Dropbox – Microsoft OneDrive had the highest rate of infection at 55%; Google Drive had the second highest rate of infection with 43% of instances being impacted, followed by Dropbox and Box with 33% each.
“Malware will always be a threat to the enterprise and cloud applications are an increasingly attractive distribution mechanism,” said Mike Schuricht, vice president of product management at Bitglass. “Most cloud providers do not provide any malware protection, and those that do struggle to detect zero-day threats.”
Bitglass also identified the top five file categories by infection rate: scripts and executables (42%), which can launch malicious applications with the click of a button, are the most common infected file type. Microsoft Office files, common corporate file types that most users trust and open without hesitation, ranked second (21%). Other formats include text files, images and more, while compressed formats include ZIP files.