A new strain of ransomware is adding psychological tactics to its code to try and extort money faster, borrowing from cult horror film franchise Saw. The Windows malware, dubbed BitcoinBlackmailer.exe or JIGSAW, follows the usual practice of encrypting the victim's files, and adding a .FUN extension for giggles. A popup screen …
Is that a lot of those ransomware viruses get spread through none other than advertisements. Obviously compromised advertisement sources, but none the less: the culprit didn't have much chance on clients which used an AdBlocker of some sorts. And it makes perfect sense too: if you manage to compromise such an ad source then you'll automatically target several websites at once. Win-win.
This happened a few weeks ago in Holland where dozens of very well known newspaper and media sites turned out to be the (temporary) distributors of such a notorious ransomware virus. And to add insult to injury some of those sites even used "adblock warnings". You know: you enter the site and you're alerted that you're using an ad blocker and are also requested to turn it off.
So basically, during the time of the virus, the sites themselves helped to actively spread it. Provided someone actually followed up on the "adblock disable advice" of course.
Which is why I think that ad blockers should be considered security software: worthy extensions of virus scanners and other tools to block nasty things from happening on your PC. Ask yourself this: what's more worth to you: the security of your computer or the revenue of a 3rd party? The problem should be obvious: you may consider said 3rd party as a trusted source, but even if you do you'll have no way of knowing where all the advertisements will be coming from.
None of them will stop and think for a minute about security implications of disabling ad-blockers.
From the oriel.io piece:
"Like regular users when we come across missing sections or errors on a website, we assume the site is simply broken. However, we forget or don't realize that our adblocker can be the culprit not the website we are visiting, and what do we do? - Go somewhere else, get frustrated, complain?"
Here, they seem to be suggesting that some websites are 'broken' by ad blockers, and that the sites themselves are not broken. It seems to me, however, that the sites themselves are very much broken if this happens, and the ad blockers are merely highlighting the fault.
Either way, it's just scare tactics. They may as well have added "think of the children" and claimed that some of these broken websites were sites for kids. And they surely missed a trick by not calling developers of ad blockers terrorists.
The software probably keeps track of the system time (every second) and if the clock goes backwards does more nasty stuff. It is standard to include a feature in time limited (30 day free trial) software to check for system date tampering and if found terminate the free/temporary licence.
This isn't Saw inspired.
If it was the victims would have dig the decryption keys out of a dead mans stomach or be forced to crawl through bleach covered barbed wire to get the keys.
If the day comes that you wake up chained to the toilet from trainspotting, next to a hammer drill with a thumb drive forced into your skull with the decryption keys on after visiting a nefarious site, only then can we call it "saw inspired".
Incidentally, this might be useful way to 'inspire' sysadmins into setting up proper backups.
"Hello Dilbert, you've been living your life very precariously with your half cocked backups and flimsy DR plan. This is generally unacceptable behaviour. As a result, I have set up this game for you to help you understand the error of your ways. Next to you is Diane from accounts, she opened up an attachment with a toxic payload that came from an unknown source and got through your puny mail filtering rules, she is alive but heavily sedated. Next to her is the lid off a toilet cistern. I have embedded a thumb drive with the decryption keys to retrieve all of your data somewhere inside this woman. You have two options, gnaw your own arm off to escape to an almost certain sacking or extract the drive using the tool provided, take responsibility like a man or throw your colleague under the bus, make your choice."
Apparently this attack is aimed at everyone who isn't computer security savvy, and isn't too lazy to do some simple research to get the key. Also, asking for only $20 dollars tells me the motivation wasn't to get wealthy; rather, to make a statement.
Wouldn't mind doing a binary disassembly on this to find out if the first round or two of deletions are aimed at something specific to get your attention but something you could easily download and replace, such as Steam files.
Is some good old fashioned death-by-slow-torture for the idiots who write ransomware.
Add to this my personal favorite, force-feeding a kilo of iron ball bearings then a few hours later strapping them to a MRI gurney and setting the scanner on maximum. Bwahahahaha...
I would say attach cannon balls to each side of his testicles with hooks going through them for writing and putting something like this out into the wild and trying to extort people for money. Tell him he has a choice he has to either loose his testicles or put his testicles in a vice with the vice clamped down as tight as it will go.. If it sounds harsh I have no sympathy for people that use these kinds of tactics to extort people with money as a motive.
Biting the hand that feeds IT © 1998–2019