Security researchers at venture-backed Fairfax, Virginia-based Invincea have discovered a new Russian ransomware strain they called "Fessleak" which delivers its malicious code straight into system memory and does not drop any files on disk. That means almost all antivirus software is not able to catch this. The infection vector is malicious ads on popular websites that the cybercriminals are able to display by bidding on the ad space through legit ad networks.
For end-users, in their lunch break they visit a major site like HuffingtonPost, Photobucket, CBSsports, or Match.com and check out someone's "Granny opening a new iPhone video", or "These are the Charlie Hebdo cartoons that terrorists thought were worth killing over." Clicking that one link is enough to get confronted with a full screen announcing all personal or business files, photos and videos have been one-way encrypted and to get them back you need to pay a ransom in Bitcoin.
The cybercriminals first set up a short-lived burner domain directing to a landing page where the exploit kit is hosted. Then they start real-time bidding for ads pointing to the burner domain. Once their bad ad is displayed on a popular website and users clicked on it, they would be redirected to the malicious domain which in turn infects their workstation.
Invincea said: "We continue to see new innovations in ransomware. More advanced versions now use file-less infections and communicate via the Tor network. They can also check to ensure the host is not running on a virtual machine to frustrate security researchers and analysis."
The same gang is also using 0-day exploits for Flash Player, and is apparently able to change their malware on the fly to exploit the most recent vulnerabilities. “ Now Fessleak drops a temp file via Flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection,” the researchers say in the same blog post.
So, here are some recommendations to mitigate this type of attack:
1) Backup, Backup, Backup and take a weekly copy off-site.
2) Keep your attack surface as small as possible and religiously patch the OS and third party apps as soon as possible. The www.Secunia.com site might help.
3) Run a UTM and/or a good Proxy, block centrally rather than machine by machine. If that's not possible, install AdBlocker plugins for each browser.
4) It is increasingly clear that effective security awareness training is a must these days. Once a year training for compliance does not hack it anymore. End-users need to be on their toes with security top of mind.
Kevin Mitnick security awareness training combined with frequent simulated phishing attacks drops the employee Phish-prone percentage in 12 months from about 16 percent down to just over 1 percent.
Find out how affordable this is for your organization today.
