Securelist.com has a writeup about a new ransomware that mostly targets the Netherlands:
While ransomware is a global threat, every now and then we see a variant that targets one specific region. [...] Today we can add a new one to the list: Wildfire.
Wildfire spreads through well-crafted spam e-mails. [...] Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail. This is something we do not see very often and makes it for the average user difficult to see that this is not a benign e-mail.
Even though Wildfire is a local threat, it still shows that ransomware is effective and evolving. In less than a month we observed more than 5700 infections and 236 users paid a total amount of almost 70.000 euro. This is also due to the fact that the spam e-mails are getting better and better.
When you are infected with Wildfire, the malware calls home to the C2 server where information such as the IP, username, rid and country are stored. The botnetpanel then checks whether the country is one of the blacklisted countries (Russia, Ukraine, Belarus, Latvia, Estonia and Moldova). It also checks whether the "rid" exists within a statically defined array (we therefore expect the rid to be an affiliate ID).
If the rid is not found, or you live in one of the blacklisted countries, the malware terminates and you won't get infected.
Each time the malware calls home, a new key is generated and added to the existing list of keys. The same victim can thus have multiple keys. Finally the botnetpanel returns the bitcoin address to which the victim should pay, and the cryptographic key with which the files on the victim's computer are encrypted.
Related Stories
The threat of ransomware is becoming widespread among corporations, with almost half of U.S. businesses suffering an attack from the nasty form of malware recently, according to a new survey.
Security firm Malwarebytes sponsored the study, which found in June that 41 percent of U.S. businesses had at least encountered between one to five ransomware attacks in the previous 12 months.
Another 6 percent saw six or more attacks.
The study surveyed corporations in the U.S., Canada, U.K. and Germany to gauge how ransomware affected their operations.
The malware, which can infect a computer and take the data hostage, can be bad for business. Thirty-four percent of the victim corporations in the countries surveyed reported losing revenue because the ransomware had prevented access to important files.
U.S. businesses victimized by the malware generally didn’t suffer a heavy toll and only 6 percent of them reported losing revenue. In most cases, the malicious code only affected personal files.
[...] More amateur cybercriminals are probably indiscriminately spreading ransomware in the U.S. like spam, the survey added. Low-level ransom demands of up to $500 are prevalent in the U.S. However, high ransom demands of more than $10,000 are more common in Germany.
Malwarebytes sponsored Osterman Research to conduct the study by surveying 540 CIOs, CISOs and IT directors across the four countries.
What steps has your company taken to protect against ransomware? Is it enough? What about your personal system(s)?
(Score: 3, Informative) by frojack on Saturday August 27 2016, @05:13PM
Three things stand out here. First, the attackers registered a Dutch domain name, something we do not see very often. Second, the e-mail is written in flawless Dutch. And thirdly, they actually put the address of the targeted company in the e-mail
Hold on there.....!
Thing ZERO is: Its Windows Only.
No, you are mistaken. I've always had this sig.
(Score: 3, Touché) by ticho on Saturday August 27 2016, @06:52PM
Isn't all succesful ransomware?
(Score: 2) by Nuke on Saturday August 27 2016, @10:58PM
Three things stand out here.
Thing ZERO is: Its Windows Only.
Why does that stand out? Sounds usual to me.
(Score: 0) by Anonymous Coward on Saturday August 27 2016, @05:21PM
>get email
>contains url to .doc
>voluntarily download .doc
>voluntarily open .doc, in microsoft word no less
Not to mention that the email is entirely unlike all other real Dutch packet delivery companies..
(Score: 2) by ticho on Saturday August 27 2016, @06:58PM
And yet, this ages old social engineering technique still claims its victims every day. Sad, really.
(Score: 3, Informative) by jimshatt on Saturday August 27 2016, @07:10PM
(Score: 0) by Anonymous Coward on Sunday August 28 2016, @04:40PM
if you're opening docs from unknown companies with your beloved windows computer and microsoft word, then you i don't know what to say. It's sad though.
(Score: 2) by Runaway1956 on Saturday August 27 2016, @05:30PM
https://www.youtube.com/watch?v=Pc3OnSQc48s [youtube.com]
(Score: 2) by http on Saturday August 27 2016, @07:52PM
The article uses a peculiar piece of, well, jargon? acronym? Who knows what a rid is, other than it's not an IP address, user name, or nation.
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by takyon on Saturday August 27 2016, @10:52PM
https://en.wikipedia.org/wiki/Relative_identifier [wikipedia.org] ?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]