Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday August 27 2016, @04:58PM   Printer-friendly
from the targeted-malware dept.

Securelist.com has a writeup about a new ransomware that mostly targets the Netherlands:

While ransomware is a global threat, every now and then we see a variant that targets one specific region. [...] Today we can add a new one to the list: Wildfire.

Wildfire spreads through well-crafted spam e-mails. [...] Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.

Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving. In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro. This is also due to the fact that the spam e-mails are getting better and better.

When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored. The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova). It also checks whether the "rid" exists within a statically defined array (we therefore expect the rid to be an affiliate ID).

If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won't get infected.

Each time the malware calls home, a new key is generated and added to the existing list of keys. The same victim can thus have multiple keys. Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim's computer are encrypted.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.