Close

Request Demo

BUFFERZONE is available to Enterprise companies only. Please fill out the form below and we’ll contact you shortly


    Blog

    Back

    Malware Mania: the More Things Change, the More They Stay the Same

    By BUFFERZONE Team, 26/01/2016

    The startling headlines scream out like something from the front page of a supermarket tabloid: “Terrifying New Malware on the Loose!”, “First-Ever Cyber Menace Spotted in the Wild”, “Cyber Criminals Unleash Mega Virus” and so on. The only things missing are the obligatory fuzzy close-up photo of a cyber criminal wearing a hoodie, and of course, a tie-in to Elvis Presley, Bigfoot or Area 51.

    Yes we are being sarcastic, and perhaps a little facetious as well. But there is method in our mockery. There is simply no reason why these so many of threats should be presented as unique, because we have seen the basic formula at work many times before – just in a different disguise. And the latest example is Ransom32.

    Ransom32 is JavaScript-written ransomware that hurls through cyberspace as an .scr executable file in an email that, in truth, is an auto-extracting WinRAR archive. Once it infects a device, it unpacks in a temp folder and creates a shortcut to its victim’s startup folder called “ChromeService”, which assures that it will be executed on every boot.

    From there, Ransom32 connects to a command and control (C&C) server on the TOR network, which allows bad actors to lock a victim’s computer and display a ransom demand with Bitcoin payment information. Much like a parking ticket, victims who do not pay before the countdown timer reaches zero must pay a higher amount (currently 1 extra Bitcoin, or $350). And victims who do not pay within seven days lose access to their files forever. For now, Ransom32 has only been spotted attacking Windows-based systems, but the NW.js framework is capable of running on MacOS X and Linux as well.

    Based on this, it is fair to say that Ransom32 has more flair than your average, everyday piece of ransomware. But the fundamentals are very familiar. Essentially, it is just another in a long line of threats that download malware and encrypt files. It is certainly not the first variation or iteration, and without question, it will not be the last.

    Though it is hard to find any “good news” in a story about malware, surprisingly there is something to be optimistic about: since Ransom32 is categorically not unique — despite what the headlines scream — organizations that use virtual container technology are protected. This is because if an employee unwittingly downloads Ransom32, it will be isolated on their endpoint, and therefore cannot transfer to the hard drive and carry out its illicit instructions. IT or network security staff can then wipe the container clean, while they investigate and proactively fortify attack surface vulnerabilities; or at the very least, implement some employee re-training on the do’s and don’ts (emphasizing the latter) when it comes to safe computer usage.

    The bottom line? When it comes to headline grabbing malware mania – with Ransom32 merely being the latest super ultra mega scary threat du jour – the more things change, the more they stay the same. We have all come across this basic story many, many times before – which is welcome news for organizations that use a virtual container to keep malware off their endpoints, and away from their network.