The Crypto Malware Evolution Moves on Full Speed Ahead with New Variant - Adding a Third Cyber Gang Effort to Rake in High Stakes
(Tampa Bay, FL) May 6, 2014-- Security Awareness Training expert KnowBe4 issued a warning of a third criminal ransomware gang ramping up their attacks. The malware is called CryptorBit, (also known as HowDecrypt), and follows a very similar attack process as CryptoLocker and CryptoDefense, but the malware corrupts the first 512 or 1024 bytes of -any- data file it finds, regardless of extension increasing its potential to wreak havoc. The cyber gang uses social engineering to get the end-user to install the ransomware using a fake Flash update, or install a rogue antivirus product.
“Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, the fees are up to $500 ransom in bitcoin to decrypt the files,” said Stu Sjouwerman, CEO of KnowBe4.“It was initially released December 2013, and after debugging their criminal infrastructure, attacks are now increasing. Moreover, users can’t rely on antivirus since it catches less than 50% and “antivirus is dead” according to Symantec.
The CryptorBit ransomware comes with extra features. It appears to bypass Group Policy settings that were put in place to defend against this type of ransomware infection. The cybercriminals are also installing so-called cryptocoin miner software which utilizes the victim's computer to mine digital coins such as Bitcoin, which will get deposited in the malware developer's digital wallet, making them even more money according to bleepingcomputer.com.
When a workstation is infected, the bad guys want you to install the Tor Browser, enter your address, and follow instructions on their website how to pay. They leave a friendly reminder that the sooner you pay, the more chance you have to "recover the files". Once you pay, supposedly you get their CryptorBit Decryptor program. Based on the payments sent to known CryptorBit Bitcoin addresses, quite a few people appear to have paid the ransom. The price can double after the first 96 hours (4 days).
Sjouwerman gives these tips to prevent the loss of data;
1) Backup, backup, backup and test your restore procedure on a very regular basis.
2) Don’t rely on just antivirus as they normally run 6 hours behind attacks like this, enough for the bad guys to get in and wreak havoc. See Virus Bulletin’s testing info.
3) Don’t open anything suspicious. Use extra care to avoid phishing links and attachments. If you didn’t request it, don’t open it.
4) If you do fall prey to CryptorBit, wipe the infected machine(s), rebuild from the ground up, and restore the files from the most recent backup. If there are no backups, try to restore the files from Shadow Volume Copies. If these are not available, you can try a utility called http://www.bleepingcomputer.com/virus-removal/cryptorbit-ransomware-information#decrypterfixer [DecrypterFixer __title__ ] written by Nathan Scott.
With malware like this out there, security education and behavior management is a must for any organization where users have access to email and the web.