0161 726 5997 Info@FoxSecurity.co.uk

Ransomware has been hitting the cybersecurity headlines throughout the last year, and it shows no sign of slowing down.  The latest varients are now targeting a number of remarkable victims, and demanding huge patments to unlock the encrypted data.

So what are these new industries that the criminals are focussing on?

The first is UK schools.  It’s being reported that schools are being contacted over the phone by these crooks who pretend to be calling from the Department of Education.  They request the email addresses of the senior teachers or headteacher within the school, indicating that there is important document that needs to be passed through.  They then send the infected emails through, with ransomware hidden in the attachments which are given the appearance of legitimate documentation.

It’s not the first time that certain criminal groups have shown just how far they will go – as earlier in 2016 there were reports coming from hospitals that they were being targeted and strong-armed into paying the ransom demands.

Next on the list of fresh targets is HR departments.

This approach uses fake job applications as the method of tricking unsuspecting staff into opening the attachments.  Since applications can come in from any source, HR staff are more likely to open emails from unknown email addresses.

It’s using an updated version of the Petya ransomware, with this new version being called GoldenEye.

The campaigns began in Germany at the beginning of this month, but having seen the success there are many copycats attempting the same across the rest of the world.  It usually involves two parts – the first being a covering letter which doesn’t contain any malware.  This establishes trust with the victim, who will then go on to open the CV itself.  Most people would expect a CV to come as a Word document, but for some reason the GoldenEye approach uses an Excel spreadsheet using malicious macros.  Since newer versions of Excel include protection against automatically running macros, the spreadsheet displays what looks like a loading image, along with a request to enable the macros so the rest of the content can be seen.  Upon enabling, the macros executes a script which runs in the background to encrypt the files.

Each of the encrypted files will have a random extension added which is made up of 8 characters, and once finished, the script displays a message to the user informing them that their files have been locked.  As soon as this has finished, the machines will restart in a mode which looks like it’s running a CHKDSK command, but which is really a fake screen which is hiding that the ransomware is encrypting the entire disk.

Once complete, a screen is displayed which explains how to obtain a decryption key, by paying the attackers via a portal.  At present, the ransom is set at 1.3 Bitcoins, which translates to around £800, but this may change over time.

And the final entry in the list of fresh targets is Google TV – specifically on LG’s smart TVs.

It’s been rumoured for some time, but we finally have proof that Android malware can spread beyond the phones and tablets that we’re all familiar with, and into other devices which are powered by the OS – specifically smart TVs  in this instance.

Ransomware TV set

Source: Darren Cauthon

A software engineer has posted a screenshot of the hacked device, showing that the system has been infected with the Cyber.Police ransomware.  This malware, which comes under a number of different names, including Dogspectus, has infected the latest models of LG TVs.  Google discontinued the Smart TV project in 2014, so there will be no further updates to the application itself, and LG have stopped using Android in their TVs since, now opting for WebOS – based on Linux.

The owner of the TV in this instance was particularly annoyed that although the ransomware itself was demanding around $500 to unlock the system, LG wanted nearly as much themselves – $340 dollars for a trip to the services center.  This was just for a factory reset – a process that LG doesn’t want to be released to the public.

The infection appears to have occurred because of an infected app being installed on the TV by the owner’s relative, although it’s not clear if this was done legitimately.

Since 2015, a number of different security companies have tested ransomware on smart TVs, and all of them have had difficulty in removing it – so there’s little hope for a non-techie person being able to do it by themselves.

Only time will tell, but it does seem that there are variants out there which are specifically targeting smart TVs.  The problem may not get any better when Google releases its successor to Android Tv in the near future.  Android TV is likely to be slicker, and will claim a strong stake in the smart TV market, but it’s unlikely that TV manufacturers will continually provide updates for the lifespan of the television.  A better alternative may be to disable the functionality in the TV itself, and pick up an Android TV external box which can be plugged in via HDMI.  This way, should the vastly cheaper box become compromised, the customer will have less difficulty in fixing or replacing the faulty item.

Please remember to keep backups of all critical data – but make sure that at least one copy of the backed-up data is held offline.  That way, should the worst happen, you will not find that your backups have been overwritten by the same malware that compromised your original data.

If you have any questions around malware, or any comments on this article, please do get in touch, or leave some feedback below.