In a worrying trend, cybercriminals have launched another ransomware attack wave with several new malicious strains hitting both businesses and consumers alike. A new strain of CryptoWall has hit end users with phishing emails containing malicious .chm attachments (the extension used for help files) infecting networks with the most sophisticated ransomware to date. A newly discovered strain called CryptoFortress was discovered last week that has the look of TorrentLocker but is able to encrypt files over network shares even if they are not mapped to a drive letter. Law firm Ziprick and Cramer LLP of California began notifying clients on February 27th of a ransomware attack by a new "CryptoLocker-like" variant that infected one workstation and was spread to their server.
It doesn't end there. Another new ransomware called TeslaCrypt attempts to cash in on the $81 billion gamer market by placing a strong emphasis on encrypting video game related files. Unlike other ransomware that typically target images, documents, videos, and application databases, TeslaCrypt also targets over 40 different video game related files such as RPG Maker, Call of Duty, Dragon Age, StarCraft, MineCraft, World of Warcraft, World of Tanks, and Steam.
Stu Sjouwerman, CEO of KnowBe4 stated, "These new capabilities of cryptoware change the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions. Between increasingly sophisticated phishing emails and exploit kits on compromised websites, users need to be trained to recognize threats with effective security awareness training. System administrators should also patch workstations religiously and tighten up proxy/firewall rules."
CryptoWall 3.0 is the most recent version of CryptoLocker and hides its malicious payload as an attachment. The latest wrinkle is that the fake "incoming fax report" email looks to the user to come from a machine in their own domain. Discovered by BitDefender in late February 2015 with global targets, this version encrypts the files of all mapped drives and demands a $500 ransom in Bitcoin. Cybercriminals use .chm files to automatically execute malware once the file is accessed.
CryptoFortress includes the new and nasty feature of being able to encrypt files over network shares even if they are not mapped to a drive letter. Normally when ransomware encrypts data it does so by retrieving a list of drive letters on a computer and then encrypting any data on them. Therefore any network shares on the same network would be safe as long as they were not mapped to a drive letter. Unfortunately this all changes with CryptoFortress as this ransomware will also attempt to enumerate all open network Server Message Block (SMB) shares and encrypt any that are found.
Sjouwerman advised, "Security awareness training is really needed for every employee in any organization. Since employees often access their own personal email over company networks or surf the web over lunch, it is essential to put in place a more effective human firewall and protect your company assets."