TrendMicro researchers have observed a spike in spam campaigns running Cerber, Petya, and Locky ransomware. The three crypto viruses are plaguing users in Germany, but the impact of the malicious operators goes beyond borders. Another ransomware operation that has been quite active lately is the GoldenEye virus, again targeting German speaking users. As to why ransomware operators are targeting this European county – German users may be more likely to pay the ransom.
Ransomware Campaigns Targeting Germany, December 2016
TrendMicro has shared feedback from their Smart Protection Network:
Feedback from our Smart Protection Network™ cite Germany, Turkey, Italy, Spain, and France among top countries in Europen with high ransomware detections from January to November 2016.
Some other third ransomware in Germany came from malicious URLs. The primary distribution method is spam emails – 63%. Malicious URLs associated with Locky peaked at over 700 during the second week of November. From the last week of November to mid-December, the URLs TrendMicro succeeded to block ranged between 50 and 400.
Related: Most Ludicrous Ransomware in 2016
Another campaign recently detected in Germany used tailored spam emails imitating the police cyber department in Cologne. Recipients were accused of fraud, and were prompted to open a (malicious) attachment. The .ZIP file contained a Word file discovered to be W2KM_CERBER.DLBZY. As usual, the document had malicious macro embedded that would download and run a Cerber ransomware copycat.
The ransomware in question was RANSOM_HiddenTearCerber.A.
The copycat ransomware demonstrates how other strains impersonate user interfaces and build on the notoriety and seeming success of families such as CryptXXX, Locky, and Cerber to earn a fast buck.
As visible, the Cerber copycat is based on Hidden Tear, the open source crypto virus that has enabled many non-professional cyber crooks. The copycat targets and encrypts 128 file types, retrieves the system’s Volume Serial Number, and appends the .cerber extension to compromised files.
A copycat or a original ransomware, all ransomware cases have one thing in common, explained in the quote below:
Recent Malicious Campaigns Also Dropping Banking Trojans
Researchers uncovered a spam email campaign made to look like a telecommunications company. This specific spam email had URLs of the spoofed organizations and claimed to have sent notifications of a mobile phone bill. Users were pushed to open a zipped PDF attachment, which downloaded a variant of Sharik/Smoke Loader Trojan.
Among the other Trojans observed in December operations were some well-known representatives such as EMOTET, DRIDEX, and ZeuS/ZBOT. There was an increase in TrendMicro’s detections in Germany during the same period.
DRIDEX remained low-key until we detected a surge of around 250 active URLs during mid-December, while EMOTET used over 100 URLs in November. Zeus/ZBOT, which began evolving since 2007, had a fair amount of active URLs in its employ, peaking at 250 from October to mid-December.
These Trojans are old but they are still being deployed quite often. They are used mainly for data theft such as harvesting login credentials. Only slight differences in modus operandi and social engineering tricks were observed. The Trojan operators either directly steal money from victims’ bank accounts, or peddle the data in black marketplaces, researchers say.
How to Stay Protected: Tips for Keeping Malware and Ransomware Away
- Make sure to use additional firewall protection. Downloading a second firewall is an excellent solution for any potential intrusions.
- Make sure that your programs have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
- Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
- Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
- Disable File Sharing – recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
- Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
- Disable Flash – If you see a service or a process that is external and not Windows critical and is being exploited by hackers (Like Flash Player) disable it until there is an update that fixes the exploit.
- Update all software as soon as patched are available – never estimate the critical security patches for your software and OS.
- Configure your mail server to block out and delete suspicious file attachment containing emails.
- Isolate compromises computers – If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
- Turn off Infrared ports or Bluetooth – hackers love to use them to exploit devices. In case you use Bluetooth, make sure that you monitor all of the unauthorized devices that prompt you to pair with them and decline and investigate any suspicious ones.
- Back up your data regularly – this is the best tip against any ransomware really.
- Employ a powerful anti-malware solution to protect yourself from any future threats automatically.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter