It’s Here …

The Evolution of Wiper Malware into Ransomware

fsociety
All eyes should be on the Ukraine for more reasons than one. ESET claims they believe that BlackEnergy, the group responsible for attacks against the energy sector in the Ukraine, has morphed into Telebots, and are responsible for a series of attacks against “high value targets” in the financial sector in the Ukraine. The group utilized backdoor trojans and malicious emails. The TeleBots malware is distinctive “because it uses the Telegram protocol to communicate with its operators”.  The attackers rendered computers unbootable and hid their tracks using Killdisk to delete critical system files, replace files, and rewrite file extensions. The ESET article offers a very detailed and comprehensive analysis with IOCs, file extensions etc. which I won’t copy over here but highly recommend you look at.

According to Tripwire, “TeleBots is also an evolution of Sandworm, a Russian espionage gang which exploited CVE-2014-4114 to attack NATO and other Western organizations in 2014 and used KillDisk against several Ukrainian power companies in December 2015.” This includes ICS targets in the US in 2014.

telebots

And it gets better. Guess what they’re using? Killdisk wiper malware. Because wiper malware means never having to say you’re sorry.  But wait – there’s more.  It appears Telebots has helped the Killdisk evolve from wiper malware into ransomware, according to researchers with CYberX, a security firm specializing in ICS SCADA. We can expect lucrative extortion attacks against industries, because those are systems that cannot easily be secured or defended.   Per Catalin Cimpanu of Bleeping Computer,  “KillDisk’s ransomware component makes it easier for the gang to hide its tricks. It also means the group can extort industrial organizations, targets which can’t afford to not access their data or shut down their networks to scrub them of malware.

killdisk

The ransoms asked are roughly $215,000.  Never mind what comes next. Buckle up guys, we’re in for a rough ride.
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

https://www.tripwire.com/state-of-security/latest-security-news/killdisk-wiper-malware-evolves-ransomware/

https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s