2016: Held Ransom

Written and originally posted by Transcender

It was predicted late last year that 2016 would the year for ransomware. Thus far, the prediction is proving right; only four months in to 2016, the Locky ransomware has managed to spread itself over 114 countries (displaying its demands in dazzling array of 24 languages). The Hollywood Presbyterian Medical Center paid $17,000 in bitcoins after having their computer systems seized in February 2016, while hospitals in Kentucky and Maryland report similar attacks.

In case you’ve been in that doomsday bunker a bit too long, ransomware is malicious mobstersoftware that blocks access to your own data, usually by encryption that targets a local computer. Data stays locked away until you pay a tidy sum of money to the hacker (or, more commonly, to the hacking organization). The malware usually contains a ticking bomb that will format the entire hard drive if you don’t pay by a deadline (or post the data for everyone to see, just as extra motivation). The data kidnappers may call themselves hackers or vigilantes, or even pretend to be a federal agency, but their demand is always the same: pay us for your data — or else!

Worse, with automated viruses like Crytpolocker, Crytowall and TeslaCrypt, hackers don’t have to go through the extra effort of targeting big fish like CEOs of Fortune 500 companies. Any end user could be bilked for hundreds of dollars. And, through the economies of scale, hackers rake in millions per campaign. While current year damages won’t be tallied for a while,  the FBI estimates the CrytoWall variant pulled in over $18 million from 2014 to 2015 alone.

End users are not the only targets; nor are Windows users. Major sites like the New York Times, BBC, AOL and NFL had their advertising networks compromised by malvertising, where a malicious ad hijacked user’s browsers and redirected them to install a crypto-virus via the Angler toolkit (another argument for using adblockers?). And the once near-invincible Mac OS has been revealed as the target of the KeRangers malware – the first ransomware Mac users have ever had to contend with.

Posting to the security community in late March, Jonathan Klijnsma noticed an unusual vulnerability to the Angler toolkit on a WordPress plugin used by the iClass site. It was possible for a TelsaCrypt payload to be installed if the following conditions were met:

  • The user’s browser was Internet Explorer (or the user-agent was set to IE).
  • The user was redirected from a search engine, like Google or Bing.
  • The user’s IP address or location information was blocked (probably from some blacklist to protect the hackers  from getting served themselves!).

This vulnerability was not only difficult to detect, but also uncommon – most users do not use IE and EC-Council students would access the iClass directly without going through a search engine. I’m proud to say that EC-Council didn’t rest on their laurels. They fixed the problem within days of being notified of the security breach.