Apart from understanding the ransomware tactics and techniques beyond encryption, it is equally important to understand how they arrive in the environment. Our recent analysis reveals that majority of ransomware families can be stopped at the exposure layer—web and email. In fact, Trend Micro has blocked more than 66 million ransomware-related spam, malicious URLs, and threats from January to May 2016.Read More
Ransomware behavior has been the talk of the town. We have seen oddly long ransom payment deadlines from GOOPIC, password stealing capabilities from RAA, chat support from the latest JIGSAW variant, and all these are just incidents discovered this June. But among these new behaviors, we came across a truly unique behavior in MIRCOP crypto-ransomware.
Detected as RANSOM_MIRCOP.A, MIRCOP places the blame on users and does not give victims instructions on how to pay the ransom. In fact, it assumes that victims already know how to pay them back.Read More
Users of the TeamViewer remote-access service have been complaining in recent weeks about how their systems have been hacked into, unauthorized purchases made on their cards, their bank accounts emptied. Initially it was believed that this was due to a hack into TeamViewer itself, but the company has denied this. Instead, they have blamed password re-use, especially with millions of old passwords in the wild thanks to disclosed social network breaches.
Others have speculated that malware could be in use somehow, and that may be the case. We have evidence that trojanized TeamViewer installer packages have been used in a spam campaign that resulted in attackers gaining remote access to various systems. While this particular spam campaign used an old version of TeamViewer, we can’t dismiss the possibility of other attacks using newer versions.Read More
At a glance, it seems that DRIDEX has dwindled its activities or operation, appearing only for a few days this May. This is quite unusual given that in the past five months or so, this prevalent online banking threat has always been active in the computing landscape. Last May 25, 2016, we observed a sudden spike in DRIDEX–related spam emails after its seeming ‘hiatus.’ This spam campaign mostly affected users in the United States, Brazil, China, Germany, and Japan.Read More
In 2014, we began seeing attacks that abused the Windows PowerShell. Back then, it was uncommon for malware to use this particular feature of Windows. However, there are several reasons for an attacker to use this scripting technique.
For one, users cannot easily spot any malicious behavior since PowerShell runs in the background. Another is that PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it an attractive tool for attackers for carrying out malicious activities while avoiding easy detection.Read More