Android Ransomware spreading as codec pack installer

/in /by

SonicWALL Threats Research Team received reports of yet another ransomware for Android which encrypts the files on a device and demands a ransom in exchange of potentially unlocking the content.

Infection Cycle

The malware requests for the following permissions during installation:

  • internet
  • get tasks
  • kill background processes
  • access fine location
  • receive sms
  • access coarse location
  • call phone
  • vibrate
  • read sms
  • write sms
  • send sms
  • read contacts
  • read phone state
  • system alert window
  • wake lock
  • disable keyguard
  • receive boot completed
  • write external storage
  • read external storage
  • quickboot poweron

Upon execution it sends a GET request to the domain fsdf2tvwev-ru.1gb.ru. This is a general behavior exhibited by malware where they register/inform the attacker about the infection on a device. The name of the webpage (reg.php) is another indication of this behavior. Unfortunately we get a base 64 encoded response that states as error:

After a couple of minutes we get a ransom message that covers the entire screen as shown below:

In the background the ransomware encrypts files on the device and adds a “.Lucy” extension at the end

This ransomware demands the victims to pay 600 Canadian Dollars (CAD) which amounts to roughly $481 at the time of writing this blog. The attackers demand payment via Neosurf – wherein we purchase a Neosurf voucher of a certain value using cash. To fulfill the payment the victim needs to add the voucher number or code.

Additional points

  • The malware contains the following hardcoded urls in its code:
    • hxxp://fsdf2tvwev-ru.1gb.ru/private/add_log.php
    • hxxp://fsdf2tvwev-ru.1gb.ru/private/reg.php
    • hxxp://fsdf2tvwev-ru.1gb.ru/private/set_data.php
  • Since its discovery, statistics on the above URLs indicate most of the clicks/visits for these links have been coming from Canada indicating where this ransomware might have spread the most
  • There is a hardcoded phone number present in the code +190[removed] which belongs to the United States
  • We observed code that looks for a card number, name and date. This code might be for Neocash which is a CreditCard by Neosurf:
  • There is code in the ransomware that extracts the contact details stored on the device:
  • This ransomware has the ability to execute commands received by the attacker, few interesting ones are listed below:
    • Execute shell commands
    • Grab SMS messages on the device
    • Compose and send SMS messages
    • Get location of the device

The ransomware gets installed on a device as a codec pack, based on its name it is likely that this is spreading via rogue websites that host a video but show an error when the user tries to play the content. The error usually claims that a codec pack is missing on the device and the video will play once the codec is installed.

We urge our readers to please be aware when such an error is encountered, it is always advisable to install apps on the device via the official Google Play store and not directly from websites.

SonicWALL provides protection against this threat via the following signature:

  • GAV: AndroidOS.Ransomware.CAD (Trojan)

The following sample was analyzed for this blog:

  • MD5: 615869b81f1ccdbdbb1fa338744c0a6d
  • Package: com.android

State of Encrypted Traffic – New Cyber Attacks Spreading via Use of Encryption

/0 Comments/in /by

The earliest schemes of cryptography, such as substituting one symbol or character for another or changing the order of characters instead of changing the characters themselves, began thousands of years ago.  Since then, various encoding and decoding systems were developed, based on more complex versions of these techniques, for the fundamental purpose of securing messages sent and received in written or electronic forms for all sorts of real world applications.  Although the progress we have made in modern cryptography has its advantages, we are seeing that it creates many security risks too dangerous to be ignored.  This blog reviews what this means to your organization and helps your security teams stay alert and be ready for the new threats and attack vectors that spread from the criminal use of encryptions.

The momentum in information and communication technology innovations have significantly changed the way we function in both the public and private sectors.  How we store, share, communicate and transact information over the web, for personal use, for work or to run businesses, agencies and institutions, require that we adopt strong information security in everything that we do digitally. As the result, the majority of today’s web traffic are encrypted using the latest Transport Layer Security (TLS), formerly known as Secure Socket Layer (SSL), encryption protocol to establish a private connection between two computer networks for securing data transmission and web traffic and interactions.

According to the Google Transparency Report, encrypted connections, displayed as HTTPS on the browser address bar, account for approximately 87 percent (Figure 1) of web requests sent to Google’s data centers from around the world, as of June 17, 2017. Moreover, the report reveals that Windows, Mac, Linux and Chrome users spend more than three-quarter of their time on HTTPS pages (Figure 2).  With these facts, we can reasonably generalize that the majority of the web traffic traversing our networks are encrypted today.

Figure 1: Percentage of page requests that used encrypted connections

Percentage of page requests that used encrypted connections

Figure 2: Percentage of browsing time spent on HTTPS websites

Percentage of browsing time spent on HTTPS websites

Now imagine from a security standpoint, what is the likely scenario if your network security such as a firewall or intrusion detection/prevention system (IDS/IPS) is not examining the encrypted traffic?  Obviously, the security system would have zero visibility of any malicious activities. Therefore, attacks carried out inside the encrypted session will go unnoticed and likely lead to a data breach event.  This method of attack is among the top security issue facing many organizations right now.  A recent survey1 of over 1000 security professionals from various industries in North America and Europe conducted by the Ponemon Institute on behalf of A10 Networks reveals:

  1. Of eighty percent of respondents who were victims of cyber-attacks, forty-one percent of those attacks hid in SSL encrypted traffic to evade detection.
  2. Only one-third of respondents believe their organization can properly decrypt and inspect SSL encrypted traffic, even though an overwhelming 89 percent of them agree it is an essential procedure required for the performance and safety of their business.
  3. Use of SSL encryption to mask malicious activity will parallel the growth of encryption of inbound and outbound web traffic.

So what must you do to address the security risks associated with encrypted threats?  Watch the informative webcast, “Defeat Encrypted Threats,” presented by a SonicWall Security Solution Engineer, to learn how you can defeat it.  This presentation provides detail analysis of the latest trends and tactics of the cyber threat landscape as seen from the eyes of a practicing security professional. Once you have seen what your adversaries have been up to today, you will receive a crash course in security policy management and network security architecture design that will help prevent the breach of tomorrow.

1 2016 Ponemon Study, Uncovering Hidden Threats within Encrypted Traffic

View Webcast

Hackers Now Attacking Unconfigured WordPress Sites

/in /by

SonicWall Threat Research Labs recently received reports of attackers targeting newly installed WordPress sites. Attackers search for the following phrases:

  • WordPress
  • Setup Configuration File

If both phrases exist, then it is possible that the site has WordPress installed but has not been configured properly. In fact, doing a Google search for the above, results in:

After checking the first results returned by Google, we found 4 to unconfigured.

Typically, most of these sites returned show the following:

From the above, we can see that the attacker can specify any database they have control over.

The next step the attacker does is to set the first level admin account

Once the attacker has control over the WordPress website running in the target server, the attacker can do any of the following:

  1. Use the WordPress website for hosting malware, exploit kits, etc.
  2. Use the WordPress website as a launching pad to attempt control of the server. This can be done by executing specially crafted PHP scripts.

SonicWall Threat Research Team has the following signature to protect their customers from this type of attack:

  • WAF 1666: WordPress Setup Attack

Amnesia ransomware continues high payment trend

/in /by

The SonicWall Capture Labs Threat Research team have recently observed a ransomware threat known as Amnesia. As predicted previously by Sonicwall, the trend of increasing the ransom payment demand has continued. This time last year, ransom demands only averaged a few hundred US dollars for file decryption. Most ransomware today have increased this amount to around 1 Bitcoin ($2629 at the time of writing this alert) as is the case here with the Amnesia ransomware.

Infection Cycle:

The Trojan makes the following DNS request:

  • iplogger.info

The Trojan adds the following files to the filesystem:

  • %APPDATA%sevnz.exe (copy of original file) [Detected as GAV: Amnesia.RSM (Trojan)]
  • IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT (copied into every directory containing encrypted files)

All files that have been encrypted use the following filenaming convention:

  • {encrypted filename}.[unlocking.guarantee@aol.com]

The Trojan adds the following keys to the registry, the first of which is a unique ID for the infection:

  • HKEY_CURRENT_USERSoftwareaIYqDubteCKSoK temp “V4IAAAAAAADC0bNIxKaIH7JYV6699fOJvEi=G+RF6TCJ4cJBvLhWQGV+654JtVSw9RvdA56j7BpPGG32Za88GKSdzyey6Po=U+nGtFhb=e7wiDqx2fcJ6T0TZmNts3=uKH88QK1UWGHjigPKSRB4PWg3jiKTMZnFR7NTeH1momxGZguqRAzVlOh592AargphGyo+5o0bx39Uoh=bwM0O3m98fsAejkmm2RUQQYJ7SaBQd2AYI3SCM3JiL4uSCVPlK9EQbhCdhjn18jyDNmVp=nuK5YLLhISwFc5R=1=aZDM16W+xB0orn3okLFvs5LNGDrwEOXIXtUie3KKPgemZolrAZ4v7K0ZKLtJTu6eOY1PBa1hRmDMN1AKj2eSiZLtYSreoRC1KgdcK9fDoJfZL2sr9vdxMwogKCGvnA21YGVVlLLagjp35=ybaIdWlP1A95msz7SyZLpFs6WoJTcvurViRPGgWsUEpMbIy=lV+EJ0T0U1gDSydtsuffYcxyDk2f2rJCr5eIxOrwlIJlIhkDfEcuO=NKfkJZ6efwNwAXIeMXQfUdpg5k2EUu+R6sWOBcnnQkWUXSpZGUildgjL0OS5TXsCs60oLHMcyuMzip2sq7287OnFB8kz7javL9LcxUn2p17wAb7tW2wX3dKRhzL0Lqp5O2Z7uAiOEqmwYES3Ddjlh8gw2vVL4l1Wz7p92=divAAUeWLUte=J2dShKCLJK6ApQ4ct2w6gAfmdSPtc6Ko8dnujq1f6xcOVqTT8FBpqfBy6jd+8TwC1y0ndtHA6+sFBhFD4HDZcvIlguChgzRyK5TKK7l4”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce aIYqDubteCKSoK “%APPDATA%sevnz.exe”

The Trojan can be seen utilizing mshta.exe in order to run javascript as part of its infection process:

The infection is reported to the operators by using iplogger.info. The response is a PNG file containing a single pixel:

The following text file is displayed on the screen:

We received the following email after following the instructions in the text file:

As there was no transaction history for the Bitcoin address (12X4P7HVpuhP535uTkETecGvZrV7A7T3oL), it is safe to assume that multiple Bitcoin addresses are used rather than a single address.

The Trojan disabled our ability to reboot the system when run on WindowsXP:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Amnesia.RSM (Trojan)
  • GAV: Amnesia.RSM_2 (Trojan)

Black Hat USA 2017: Build Your Arsenal with SonicWall Capture – Innovate More, Fear Less

/0 Comments/in /by

The SonicWall team is excited to be a gold level sponsor at Black Hat USA, one of the world’s leading IT security events, which opens at Mandalay Bay in Las Vegas on July 22.  Our booth number is 554 and we look forward to meeting you there. SonicWall will offer attendees information on the company’s suite of automated, real-time breach detection and prevention products and services, including the SonicWall Capture ATP cloud-based network sandbox which detects and stops ransomware, advanced persistent threats (APTs) and zero-day attacks.

What will you discover in SonicWall’s booth 554?

SonicWall enables organizations to “Innovate More and Fear Less,” giving them the ability to prevent breaches automatically, in real time. Our team at SonicWall Capture Labs has confirmed that Capture technology could detect, block, and prevent WannaCry and NotPetya using SonicWall next-gen firewalls and SonicWall Capture ATP, a multi-engine cloud sandbox. At Black Hat USA 2017, our team of experts will be in booth 554 July 26-27 to demonstrate deployment of Capture using real malware samples.

I’d also encourage you attend our theater presentation, “It Doesn’t Take Magic to Win the Cyber Arms Race,” where we’ll cover how you can stop ransomware, encrypted threats and phishing attacks from bringing down your network. Attendees at each theater presentation will be eligible to enter a raffle for a Raspberry Pi Project Board.

How does SonicWall help you Innovate More and Fear Less?

SonicWall’s booth will have four solution demo kiosks:

  • Stop ransomware
  • Prevent breaches
  • Uncover encrypted threats
  • Block phishing attacks

In addition to stopping ransomware and preventing breaches, our cyber security solutions also protect against encrypted threats and targeted email attacks. By using patented anti-phishing technologies, integrating with Capture ATP and offering powerful email authentication, SonicWall Email Security can block phishing, business email compromise (BEC) and ransomware.

An additional highlight at our Black Hat USA booth will be our SonicWall Firewall Sandwich, demonstrating a “Super Massively,” scalable network firewall architecture that enables enterprise customers to:

  • Provide scalable performance for growing data centers
  • Deliver support for up to 100+ Gbps networks to eliminate network slowdowns
  • Ensure high availability, resiliency and connectivity for every enterprise
  • Achieve best price/performance and up to 70 percent lower TCO
  • Provide visualization of all applications, users and groups traversing the firewall sandwich

And don’t forget to attend our dramatic magic show every half-hour. You can’t miss the Spider over the booth.

If you want a head start before you go to Black Hat, check out the demo our security solutions via SonicWall Live Demo.  And to keep up with us at the show, follow @SonicWall and look for the hashtag #BHUSA.

Microsoft Security Bulletin Coverage for July 2017

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of July, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0170 Windows Performance Monitor Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-0243 Microsoft Office Remote Code Execution Vulnerability
    spy:1522 Malformed-File doc.MP.45

  • CVE-2017-8463 Windows Explorer Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8467 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8486 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8495 Kerberos SNAME Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8501 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8502 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8556 Microsoft Graphics Component Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8557 Windows System Information Console Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8559 Microsoft Exchange Cross-Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8560 Microsoft Exchange Cross-Site Scripting Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8561 Windows Kernel Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8562 Windows ALPC Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8563 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8564 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8565 Windows PowerShell Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8566 Windows IME Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8569 SharePoint Server XSS Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8570 Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8571 Office Outlook Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8572 Office Outlook Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8573 Microsoft Graphics Component Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8574 Microsoft Graphics Component Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8577 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8578 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8580 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8581 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8582 Asp.Net Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8584 Hololens Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8585 .NET Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8587 Windows Explorer Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8588 WordPad Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8589 Windows Search Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8590 Windows CLFS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8592 Microsoft Browser Security Feature Bypass
    ips:12885 Microsoft Browser Security Feature Bypass (JUL 17)

  • CVE-2017-8594 Internet Explorer Memory Corruption Vulnerability
    ips:12886 Internet Explorer Memory Corruption Vulnerability (JUL 17)

  • CVE-2017-8595 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8596 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8598 Scripting Engine Memory Corruption Vulnerability
    ips:12887 Scripting Engine Memory Corruption Vulnerability (JUL 17) 1

  • CVE-2017-8599 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8601 Scripting Engine Memory Corruption Vulnerability
    ips:12888 Scripting Engine Memory Corruption Vulnerability (JUL 17) 2

  • CVE-2017-8602 Microsoft Browser Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8603 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8604 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8605 Scripting Engine Memory Corruption Vulnerability
    ips:12889 Scripting Engine Memory Corruption Vulnerability (JUL 17) 3

  • CVE-2017-8606 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8607 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8608 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8609 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8610 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8611 Microsoft Edge Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2017-8617 Microsoft Edge Remote Code Execution Vulnerability
    ips:12890 Microsoft Edge Remote Code Execut
    ion Vulnerability (JUL 17) 1

  • CVE-2017-8618 Internet Explorer Remote Code Execution Vulnerability
    ips:12892 Internet Explorer Remote Code Execution Vulnerability (JUL 17) 1

  • CVE-2017-8619 Microsoft Edge Remote Code Execution Vulnerability
    ips:12891 Microsoft Edge Remote Code Execution Vulnerability (JUL 17) 2

  • CVE-2017-8621 Microsoft Exchange Open Redirect Vulnerability
    There are no known exploits in the wild.

Adobe Coverage

APSB17-21 Security updates for Adobe Flash Player:

  • CVE-2017-3080 
    spy:1526 Malformed-File dll.MP.1

  • CVE-2017-3099 
    spy:1527 Malformed-File swf.MP.570

  • CVE-2017-3100 
    spy:1528 Malformed-File swf.MP.571

LockPos, the new point-of-sale malware actively spreading in the wild. (Jul 14, 2017)

/in /by

The SonicWall Threats Research team observed reports of a new variant POS family named GAV: LockPOS.A actively spreading in the wild. LockPOS malware affecting point-of-sale systems has been discovered to rely on Windows Explorer to deliver stolen card data to the attackers.

Infection Cycle:

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

Once the computer is compromised, the malware copies its own executable file to %Allusersprofile%Application Data folder With Random name and then injects Explorer.exe to collects information from target system.

LockPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:

  • FindResourceW

  • CryptDecrypt

  • RtlDecompressBuffer

The malware generates two files [Random Name].exe and[Random Name].bin in All user profile folder. The [Random Name].exe file it’s a dropper and [Random Name].bin file contains encrypted Credit Card information.

The malware sends an HTTP request to its own C&C server such as following example:

Command and Control (C&C) Traffic

LockPOS performs C&C communication over HTTP protocol.

The malware sends HTTP request to its own C&C server with following formats, here is an example:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: LockPOS.A (Trojan)

  • GAV: LockPOS.A_2 (Trojan)

Is Your Email Security GDPR Ready?

/0 Comments/in /by

On May 25th 2018, the European Union (EU) will introduce its General Data Protection Regulation (GDPR). The GDPR is a set of regulations meant to protect personal data of EU residents, and enforces data privacy rules on how organizations collect, store and use the information. Failure to comply with the EU GDPR regulation carries heavy penalties including fines of up to €20 Million or 4 percent of global turnover. This includes information exchanged over email. According to Infowatch global data leakage report, email is the second largest channel for data leaks.

Some key elements of the regulation include:

  • GDPR applies to all organizations that process the personal data of subjects residing in the EU, regardless of the organization’s location.
  • Breach notification will become mandatory, and must be done within 72 hours of first having become aware of the breach.
  • EU residents have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
  • The right to be forgotten entitles the residents to have the organization erase his/her personal data, and cease further dissemination of the data
  • Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

Here are certain implications of GDPR on an organization’s emails and email security:

  • Personal data is classified as any information that includes personal email addresses, phone numbers etc. that are commonly used for marketing.
  • Organizations in regulated industries such as retail, finance and healthcare have to deal with added layers of complexity to comply with competing regulations
  • To implement appropriate technical measures to comply with “privacy by design,” organizations must include email encryption and compliance capabilities to their email security infrastructure.

To comply with GDPR, key capabilities to consider while evaluating your email security include:

  • A comprehensive multi-layered approach that provides strong inbound and outbound protection
  • Sandboxing and quarantining of any unknown email attachments to prevent breaches
  • Strong encryption and DLP for compliance and regulatory requirements

Download our tech brief to learn more about SonicWall Email Security’s compliance and encryption service, and how it can help you comply with the EU GDPR.

DOWNLOAD TECH BRIEF

Capturing the World’s Latest Malware so You Can Fear Less

/0 Comments/in /by

If anyone ever needs proof on how effective SonicWall Capture Labs is, look back to the WannaCry ransomware attack in May 2017, and just last week the NotPetya malware. In contrast to over 250,000 endpoints compromised in over 150 countries, SonicWall customers with active security subscriptions were largely unaffected.

Why were they unaffected?

Our customers were protected because SonicWall had identified and created signatures for all exploits of the SMB vulnerability, as well as early versions of WannaCry, weeks in advance. Any of our customers with active Gateway Anti-virus and Intrusion Prevention System (GAV/IPS) services received those signatures automatically, and thereby blocked this ransomware variant and the worm that spread it across the globe. This was possible because SonicWall Capture Labs gathers millions of samples of malware in order to protect our customers from the latest threats.

In 2016, SonicWall’s Capture Labs Threat Research processed over 60 million unique pieces of malware that were previously unknown to us.  This included versions of polymorphic malware, newly developed malicious code and zero-day attacks. The result of this work created countless signatures and other countermeasures that protected our customers from the latest attacks across our product portfolio.

So where does SonicWall get all of these malware samples?

With over 1 million sensors placed around the world, our Capture Labs Research Team receives the largest amount of data from real customer traffic. Our SonicWall Capture Advanced Threat Protection (ATP) Service is a network sandbox that runs suspicious code to find unknown malicious code. Business networks will encounter an average of 28 new, zero-day versions of malware over a calendar year, Capture ATP is designed specifically to prevent this.

In addition, SonicWall participate in numerous industry collaboration efforts such as the Microsoft MAPP program so our researchers receive new verified threats before the public. We also actively engage in numerous international threat research communities and freelance researchers so our in-house team possesses samples of uncommon attacks and vulnerabilities.

Read this eBook to learn how to protect against ransomware with a multi-layer threat elimination chain to stop known and discover unknown malicious code targeting your organization.

Download eBook

Fenrir Ransomware pretends to be Adobe Acrobat Reader

/in /by

This week, SonicWALL Threats research team has received reports of yet another ransomware called Fenrir. This ransomware purports to be an Adobe Reader file and appends an extension to encrypted files using the victim computer’s HWID .

Infection Cycle:

This Trojan uses the following icon and file properties:

Upon execution, it makes the following DNS query:

It then proceeds to encrypt the victim’s files. It appends a new extension to all encrypted files using the computer’s HWID:

It also drops the following files:

  • %Desktop%Ransom.rtf

The file “Ransom.rtf” contains the instructions on how to pay to get your files back. It then displays a splash screen which has the same ransom message and intructions with a 72 hour countdown.

When you choose to click on the red “I will not pay” button, this message appears but then none of the files will be deleted:

If you click on the blue button which reads “I sent my payment, retrieve my files” it will ask for a password, presumably given if you had communicated with these cybrecriminals. Typing in a bogus password, does not really do anything, so it is unclear whether files will be retrieved once payment is made.

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Fenrir.RSM (Trojan)