iSheriff Labs have seen another increase in Cryptographic Ransomware variants this week. These variants center around the TeslaCrypt Ransomware, which is not new, it has been around in various iterations since February of 2015, but we have seen a sudden spike in it’s use. We have seen over 70K different incidents over the past week.
Many of the variants are borrowing from the Carberp Trojan in the way that it attempts to obfuscate code to evade signature detection. Borrowing code is also not new for TeslaCrypt as it borrowed from the Malware like CryptoLocker in the past. We believe this specific increase shows some business savvy on the criminal enterprise behind TeslaCrypt. The Angler Exploit domain takedowns have shown us that cryptographic malware was generating over $60 million a year in revenue, so we know it is working. Cryptographic malware relies on the user choosing to pay the ransom in order to generate a profit.
The main reason this particular storm of new variants interest us is the timing. The victims are generally busier this time of year, and due to end of year bonuses, the maturation of holiday savings bonds, and access to holiday savings accounts users are more likely to have a little more cash on hand to pay the ransom. The additional cash on hand, coupled with the stress and business of the holiday season makes the end users a little more likely to pay the ransom to retrieve their files.
The primary vector these threats come in on is via email, both in the form of an infected attachment, and in the form of a blended email-to-web attack where a link in a carefully crafted email drives a user to an infected page or download.
Some recommendations for end users on keeping safe:
- Do NOT open attachments from unknown senders. While we have seen Ransomware attacks sourced from watering hole attacks, or social harvesting attacks, the vast majority are coming in through email via spear-phishing attacks.
- Backup often.
- Do not click on links that seem suspicious
- Do not allow any software that you do not know the origins of to be installed on your system.
- Keep endpoint security versions update
- Keep endpoint signatures up to date