New Ransomware Strain Encrypts Files from Memory

Tampa Bay, FL (February 10, 2015) -- KnowBe4 CEO Stu Sjouwerman issued an alert to security professionals today about a newly discovered piece of ransomware dubbed ”Fessleak” by security firm Invincea. The ransomware is Russian and delivers its malicious code straight into system memory and does not drop any files on a disk. That means almost all antivirus software is unable to catch this. The infection vector is malicious ads on popular websites that the cybercriminals are able to display by bidding on the ad space through legit ad networks.

"This particular strain is new and quite harmful as it takes advantage of file-less infections that can communicate through the TOR network," said Sjouwerman. "We are going to continue to see more and more ransomware this year and this is just the latest innovation.”

This strain can check to ensure the host is not running on a virtual machine to frustrate security researchers and analysts. For end-users, they might visit a major site on their lunch break like HuffingtonPost, Photobucket, CBSsports, or Match.com and check out someone's "Granny opening a new iPhone video", or "These are the Charlie Hebdo cartoons that terrorists thought were worth killing over" headlines. Clicking that one link is enough to get confronted with a full screen announcing all personal or business files, photos and videos have been one-way encrypted and to get them back you need to pay a ransom in Bitcoin.

The cybercriminals first set up a short-lived burner domain directing to a landing page where the exploit kit is hosted. Then they start real-time bidding for ads pointing to the burner domain. Once their bad ad is displayed on a popular website and users clicked on it, they would be redirected to the malicious domain which in turn infects their workstation.

The same gang is also using 0-day exploits for Flash Player, and is apparently able to change their malware on the fly to exploit the most recent vulnerabilities. Fessleak drops a temp file via Flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid Antivirus detection.

Sjouwerman makes a few recommendations to mitigate this type of attack:

1) Backup, backup, backup and take a weekly copy of your backup off-site.

2) Keep your attack surface as small as possible and religiously patch the OS and third party apps as soon as possible. Visit http://www.Secunia.com site for some additional help.

3) Run a UTM or a good Proxy, block centrally rather than machine by machine. If that's not possible, install AdBlocker plugins for each browser.

4) It is increasingly clear that effective security awareness training is a must these days. Once a year training for compliance does not cut it anymore. End-users need to be on their toes with security top of mind.