Android Ransomware Spreading via SMS

From Eskenzi PR Ltd:

Following the news that a Koler worm is spreading via SMS and holding Android phones for ransom  Mark James, security specialist at  ESET, explains how the attack works and how to get rid of it:

"The natural progression from desktop to mobile device for ransomware was going to pick up momentum at some point and sure enough, we are seeing more and more cases of malware on the mobile platforms (Android). The biggest factor in this is people's assumption that they are safe on a mobile.
"In this particular case, an SMS is used for the initial contact - which in itself can lure a level of trust that emails do not have - if the masked (truncated) link is followed by a page that will display some kind of tasty treat for free (that may include a free service or free app) which once installed will contain the malware, ransom screens are then presented on your device with no apparent way to get rid of them. These often will use such words as "child pornography" designed to scare the individual into paying the ransom to have it removed.
"Removing these type of infections is often very simple and can be done by either booting into safe mode (internet searches will often yield many results on how to do this yourself) and uninstalling the offending application (or the last installed app if you don’t remember the name) or as a last resort, factory resetting the device and restoring from your last good backup ( maybe 1 or 2  days prior to be safe ). The best advice I can give here is DO NOT install any apps from third party websites or links, both Apple and Google Play are by no means 100% safe but they are a lot safer than using a random website to install apps."

Related Books:

Android Malware and Analysis by Ken Dunham and Friends

Android Security: Attacks and Defenses by Anmol Misra and Abhishek Dubey

CryptoWall 2.0 Ransomware Moves to TOR Network

Dangerous new ransomware variant storms onto the scene using the anonymous TOR network, taking down systems and networks unlucky enough to be caught in its path

Tampa Bay, FL (October 15, 2014) KnowBe4  issued an alert to IT Managers that a  new version of the world's most widespread ransomware CryptoWall has migrated to the TOR network. It has been upgraded to version 2.0, and continues to encrypt files so that a ransom can be extracted if there are no backups or if the backup process fails, often a common occurrence.

KnowBe4, received a panic call from an IT admin who was hit this week with CryptoWall. The admin’s workstation became infected with the malware. The workstation was mapped to 7 servers and within an hour, the entire server farm was shut down. The admin explained he had backups but it would take days to recover the data and get them back up and running. The company’s operations would be severely impacted.

 “The cyber criminals hit pay dirt with this one and the admin ended up paying the ransom, 1.3 Bitcoin, rather than face the serious costs caused by days of downtime, said Stu Sjouwerman, KnowBe4’s CEO. “This is the next generation of ransomware and you can expect this new version to spread like wildfire.”

 CryptoWall 2.0 went live October 1st and is now using the anonymous TOR network, making it very difficult to analyze or take down. Earlier versions of CryptoWall were not using TOR but HTTP, which allowed researchers to analyze the communication between the infected machine and the command & control server so they could take down the servers that delivered the malware. This version of CryptoWall has been tested for months and the malware uses innovative ways to propagate itself, like using ads on websites that take advantage of  vulnerabilities in browsers and unpatched plug-ins.

Sjouwerman advises these three steps as something IT admins HAVE TO, HAVE TO do:

1. Make regular backups, and have a backup off-site as well. TEST your restore function regularly to make sure your backups actually work.

2. Patch browsers as soon as possible, and keep the amount of plug-ins as low as you can. This diminishes your attack surface.

3. Step all users through effective training on security to prevent malware infections to start with.

 For end users, Sjouwerman advises, “Think before you click. Don’t open anything from someone unless you are expecting it. Hover over an email address to make sure its from a valid domain, one you know and recognize.”