Tag Archives: ransomware

More than one in 10 American mobile users is the target of mobile malware

Threat analysts and malware researchers in the Avast Virus Lab detect and neutralize threats as soon as they appear.

Threat analysts and malware researchers in the Avast Virus Lab detect and neutralize threats as soon as they appear.

The Avast Threat Report provides an overview of global threat activity.

 

Avast malware researchers and Avast customers work 24/7 to protect each other.

Avast protects 230 million people worldwide in more than 186 different countries — we are present in more countries than McDonalds and protect more people than any other antivirus security provider. We stream 250 micro updates a day that protect our users from attacks. This is made possible by the 230 million devices we protect that simultaneously act as de facto sensors. These sensors provide us with information about suspicious files to help detect and neutralize threats as soon as they appear. Once we identify a suspicious file on a single device, it is reported back to the Avast servers and all Avast users around the world are immediately protected. This is called our Community IQ – it not only lets us better protect our users but also gives us valuable insights into the current security landscape.

Top targeted countries

Romania, Turkey and Vietnam were targeted the most in terms of PC threats in Q1 of 2015, with Romanians having a 54% chance of encountering threats. In France, Germany, Brazil, Great Britain and the United States, the chances were much lower; nonetheless, nearly one out of every three PC users encountered threats in these countries.

Percentage of PC threats encountered by country:

  • 41 percent Russia
  • 37 percent Spain
  • 34 percent Brazil and France
  • 29 percent Germany
  • 28 percent United States and Great Britain

Within the mobile sphere, Romania also had a high chance of encountering malware, along with China and Malaysia.China was targeted the most, which is most likely due to the fact that the Google Play Store is blocked in the region and, therefore, mobile users download apps from third-party stores.

The number of users accessing the Internet in China via mobile devices has surpassed the number of users accessing the Internet via PC this year, which also makes them an attractive point of access for cybercriminals on the hunt for a widespread target pool.

Percentage of mobile threats encountered by country:

  • 21 percent Russia
  • 16 percent Spain
  • 12 percent United States
  • 10 percent Brazil
  • 8 percent France and United Kingdom
  • 6 percent Germany

Top detections and exploits

Despite Android being fairly secure, mobile malware did grow dramatically with potentially unwanted programs (PUPs – a cute acronym for a not-so-cute threat), including adware, dominating the top ten Android detections.

On the PC side, the majority of the top ten detections included LNK files. LNK files are used to create shortcuts that typically point to an executable file or script and appear on one’s computer desktop as an icon, tricking users into using malicious shortcuts.

In terms of exploits, two of the biggest vulnerabilities that were exploited targeted Javascript and an HTML parser. The first exploit, targeting Javascript, could lead to a remote code execution in Internet Explorer versions 6 to 10 The second, on the other hand, targeted an HTML parser in Internet Explorer 10, and if successful, the attack could lead to remote code execution. Even if the attack was unsuccessful, it could still cause a denial of service.

Malicious ways

We observed a variety of tricks that cybercriminals use and one interesting, less common technique cybercriminals use is domain rotation. This method regularly creates new domains and subdomains and redirects malicious traffic to them. This is done to avoid blacklisting and capitalizes on the fact that it takes time for antivirus software to find and check these new domains, releasing new detections after they’ve been properly examined. Fortunately, Avast uses advanced algorithms to recognize domain rotations and block infected subdomains.

We also watched ransomware targeting PCs and mobile devices evolve. For example, PC ransomware CryptoWall did not originally use anonymization networks in earlier versions. CryptoWall 2.0 began using TOR to communicate with the command and control (C&C) server and now CryptoWall 3.0 uses I2P (Invisible Internet Project) a lesser-known anonymization network to avoid being blocked. Mobile ransomware Simplocker, on the other hand, reappeared in February 2015 using asymmetrical cryptography, making it impossible to recover encrypted data without accessing the C&C server.

Global Wi-Fi experiment

We not only observe malware threats, but we also ventured out of the office to further explore the security risks of public Wi-Fi. Our mobile security experts traveled to nine cities in the United States (San Francisco, Chicago, New York), Europe (Barcelona, London, Berlin), and Asia (Seoul, Hong Kong, Taipei) to observe public Wi-Fi activity.

Our observations revealed major security flaws in Wi-Fi hotspots and showed how easy it is for hackers to view users’ browsing activity, searches, passwords, videos, emails, and other personal information. While security issues were found in all cities, the experiment showed that users in Asia are more prone to attacks than users in both Europe and the U.S. Users in Berlin and San Francisco were most likely to take the necessary steps to protect their browsing.

Our experiment also shed light on the fact that a significant portion of users browse primarily on unsecured HTTP sites while connected to open Wi-Fi networks. HTTP traffic is not encrypted and is therefore unprotected, meaning that our team was able to view all of the users’ browsing activity, including domain name and page history, searches, personal log information, videos, emails, and comments. Taking this a step further, it was even possible for the Avast researchers to see products that a user browsed on eBay while not being logged in to the site as well as articles that people read on Wikipedia.

We have put together a security report for the first quarter of 2015, which includes a list of top targeted countries, threats, exploits, domain detections and much more. Open the full Avast Threat Report here.

Follow Avast on FacebookTwitter and Google+ where we keep you updated on cybersecurity news every day

CryptoWall joins forces with click fraud botnet to infect individuals and businesses alike

Newest CryptoWall variant enters systems through a click fraud botnet.

Newest CryptoWall variant enters systems through a click fraud botnet.

Earlier this year, we told you about the return of CryptoWall, malware that encrypts certain files in your computer and, once activated, demands a fine around $500 as a ransom to provide the decryption key. These kinds of financial fraud schemes target both individuals and businesses, are usually very successful and have a significant impact on victims. The problem begins when the victim clicks on an infected advertisement, email, or attachment, or visits an infected website.

Recently, a click fraud botnet with ties to CryptoWall has been discovered. The malware, nicknamed ‘RuthlessTreeMafia‘, has been being used to distribute CryptoWall ransomware. What first appears as an attempt to redirect user traffic to a search engine quickly mutates into an alarming threat as infected systems begin to download CryptoWall and system files and data become encrypted, rendering them useless by their owners. Click fraud and ransomware are two types of crimeware that are usually quite different from one another and typically don’t have many opportunities to join forces; therefore, the result of this unlikely yet powerful collaboration can be detrimental to its victims.

In a public service announcement issued on June 23, the FBI warns of the continued spread of this variant of CryptoWall that has the potential to affect not only individuals, but also government entities and businesses. The report reads:

“Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers. Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.”

The uncovering of this most recent CryptoWall variant also goes to show just how creative cybercriminals can be when coming up with ways to get their malware onto people’s systems. A simple click fraud botnet compromise can now lead to a potentially serious ransom attack.

How to stay safe against infection

  • Go with your gut. Don’t click on any emails or attachments that appear as suspicious or unfamiliar to you.
  • Enable popup blockers. Popups are a popular way for hackers to spread malware. To eliminate the chance of accidentally clicking on a popup, it’s best to prevent them from appearing in the first place.
  • Educate employees about the dangers of malware. It’s crucial that SMBs teach their employees about the risks that malware pose to their business. Hold regular workshops to educate employees about common malware attacks, such as phishing emails, and how they can stay safe against them.
  • Always use antivirus software and a firewall. It’s crucial that you download and use antivirus software to best protect yourself against malicious attacks. For the highest level of protection, regularly make sure that your software is updated to the latest version.

 

Cryptowall 3.0 Infections Spike from Angler EK, Malicious Spam Campaigns

SANS Institute reports that Cryptowall 3.0 ransomware infections emanating from the Angler Exploit Kit are on the rise, and coincide with a spike from malicious spam campaigns.

New “Porn Droid” ransomware hits Android

Researchers at ZScaler have discovered a new variation of the “Porn Droid” ransomware that affects Android devices.

Once the device is infected, the malware sends the user a message, apparently from the FBI, accusing the user of watching child pornography. It then demands a $500 ransom to restore the device to normal.

fake FBI alert

 

Infection:

After masquerading as a Google patch update, the malware then asks for a number of powerful permissions including “Erase all data” and “set storage encryption”.

Fake Google Alert

 

Clearly, the message is not from the FBI and the victim should not pay the ransom.

Porn Droid

 

How to stay safe:

Always check permissions

Apps are the lifeblood of our Android devices and make them the powerful and useful tools we know and love. Apps help us stay in touch with family and friends, guide us, educate us and sometimes simply entertain us. But how much attention do we pay when we install an app? In the case of this ransomware, an alert user would never have granted those permissions to an app.

For a list of permissions to look out for when installing an app, check out this AVG Academy video from Michael McKinnon.

Video

Make sure you check these app permissions

 

Have up-to-date security software

One of the simplest and most effective ways of keeping your device safe from malware such as “Porn Droid” is to have up-to-date antivirus protection.

By scanning links and attachments before they are loaded onto your device, security apps like AVG’s AntiVirus for Android can help keep your device free from randomware and running in top condition.

 

 

As Ransomware Attacks Evolve, More Potential Victims Are at Risk

In early December, as most people were dealing with the stress of looking for the perfect holiday gifts and planning out their upcoming celebrations, police officers in a small New England town were under a different sort of pressure. The vital files and data the Tewksbury Police Department needed to go about its daily business had been encrypted […]

Why ransomware poses a risk to businesses

Last year’s attack on Sony is perhaps the most famous recent example of ransomware, but new increasingly sophisticated forms of the malware are on the rise.

To make matters worse, the scale of the problem is hard to know, because new research suggests many incidents are going unreported!

Ransomware is like digital kidnapping. An attacker encrypts the victim’s computer, or even individual files and charges a ransom for their safe return. If the ransom isn’t paid the files are destroyed and files seemingly lost forever.

Individuals, businesses, colleges and government agencies have all been among targets of ransomware. Any institution or individual that has critical files or systems are potential targets for ransomware attackers.

Even gamers were recently targeted, with the threat of losing their online creations providing the leverage.

Businesses in particular though can suffer at the hands of ransomware as shown in a recent attack targeting Danish chiropractors. The victims received an email from a potential new patient who conveniently provided past medical records via cloud storage service Dropbox. Once opened, the PacMan malware springs into action and encrypts essential business files containing valuable medical information.

Here in the United States, both the FBI and the White Collar Crime Center advise you to report ransomware threats or events to the agency at www.ic3.gov, and importantly, they advise against paying the ransom!

New research by ThreatTrack suggests that 30% of companies surveyed would negotiate and essentially “pay up” for the recovery of data. More notably, 55% of those that had previously been victims of ransomware said they would pay up again!

It also appears many incidents are likely going unreported, according to the ThreatTrack survey. Why? Likely because companies don’t want to suffer public scrutiny and humiliation or, perhaps, to encourage copycats.

 

What’s to be done?

The government and those of us in the security industry advise the first line of defense is preparedness.

Some basic tips include:

  • Educate yourself and employees about ransomware.
  • Regularly back up your data – and make sure a copy is stored offline.
  • Install and enable antivirus protection.
  • Make sure you keep all your systems and programs up to date.
  • Beware of links, and attachments. If in doubt, do not open it!

You can also stay abreast and get information on malware and other security threats here on the blog.

As with disease in the real world, prevention is sometimes the best cure in the digital world. It may seem like a bother, but having a preventative strategy could save you pain in the long run.

Don’t take the bait: Beware of web attack techniques

Mousetrap with cheese

When it comes to cybercrime, it’s always better to be in the know. Here are a few ways that web attacks can find their way onto your device. Don’t be fooled — most cybercrooks design attacks to  take place where you’d least expect it.

  1. Social engineering preys on human weakness

“A lot of attacks are still using social engineering techniques; phishing emails – ways of convincing the user to give up valuable information,” said Avast CEO Vince Steckler.

In a phishing or spearphishing attack, hackers use email messages to trick people into providing sensitive information, click on links, or download malware. The emails are seemingly sent from organizations or individuals the potential victims would normally get emails from, making them even more deceptive. Last July, Avast took a look at the Tinba Trojan, banking malware that used spearphishing to target its victims.

 usbank

An example of an injected form from Tinba Trojan targeting U.S. Bank customers.

Web attacks also take place through SMS Text Phishing, also known as SMSishing. This method has become one of the most popular ways in which malicious threats are transmitted on Android devices. These text messages include links that contain malware, and upon clicking them, the malicious program is downloaded to the user’s device. These programs often operate as SMS worms capable of sending messages, removing apps and files, and stealing confidential information from the user.

  1. Malicious apps attempt to fool you

Malicious programs can disguise themselves as real programs by hiding within popular apps or games. In February, we examined malicious apps posing as games on Google Play that infected millions of users with adware. In the case of malicious apps, cybercrooks tamper with the app’s code, inserting additional features and malicious programs that infect devices. As a result, the malware can attempt to use SMSishing in order to collect additional data.

Durak-game-GP

The Durak card game app was the most widespread of the malicious apps with 5 – 10 million installations according to Google Play.

  1. Ransomware uses scare tactics that really work

Another name that made headlines was a group of malware dubbed ransomware, such as CryptoLocker, and its variants CryptowallPrison LockerPowerLocker, and Zerolocker. The most widespread is Cryptolocker, which encrypts data on a computer and demands money from the victim in order to provide the decryption key. Avast detects and protects its users from CryptoLocker and GameoverZeus.  

Make sure you back up important files on a regular basis to avoid losing them to ransomware. Ransomware made its way from desktop to Android during the year, and Avast created a Ransomware Removal app to eliminate Android ransomware and unlocks encrypted files for free.

Count on Avast apps to keep mobile malware at bay

To keep your devices protected from other ransomware, make sure to also install Avast Free Mobile Security & Antivirus from the Google Play store. It can detect and remove the malware before it is deployed.

Install Avast Ransomware Removal to find out if your Android devices are infected and to get rid of an infection. Avast Ransomware Removal will tell you if your phone has ransomware on it. If you are infected, it will eliminate the malware. Android users who are clean can use the free app to prevent an infection from happening.Once installed, you can easily launch the app to scan the device, remove the virus, and then decrypt your hijacked files.