Targeted Ransomware No Longer a Future Threat

By on Mar 01, 2016

This post was written by Christiaan Beek and Andrew Furtak.

In 2015, McAfee investigated a ransomware campaign that targeted the financial sector of a certain country. This was the first time we had observed ransomware targeting a particular sector. The infection vector in that case involved a phishing campaign directed at multiple financial institutions.

During recent weeks, we have received information about a new campaign of targeted ransomware attacks. This time the attackers compromised an external-facing server and used that access to move around the victim’s network. By separating functions that are usually present in ransomware, the adversaries attempted to avoid detection as much as possible.

The stages of this attack included leveraging access to the external system to gain access to many other systems on the internal network. A series of scripts and tools deleted the volume shadow copies and unlock files that were in use, thereby maximizing the impact and thwarting attempts to restore data. Before the actual encryption started, the ransomware divided the candidate files into categories based on size and encrypted the smallest files first. We assume this was to maximize the number of impacted files, even if the process was shut down before it completed. After the files were encrypted, a ransom note was left on the desktop. The note demanded Bitcoins in exchange for the decryption tool and private key to decrypt each of the files.

A more detailed account of our analysis (combining information from organizations across McAfee) can be found in the technical report Targeted Ransomware No Longer a Future Threat.

This post and the linked technical report are intended to provide a summary of a current threat. If you need assistance, the McAfee Foundstone Services team offers a full range of incident response, strategic, and technical consulting services that can further help to ensure you identify security risks and build effective solutions to remediate security vulnerabilities.

About the Author

Christiaan Beek

Christiaan Beek is the Lead Scientist & Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and ...

Read more posts from Christiaan Beek

Similar Blogs

Subscribe to McAfee Securing Tomorrow Blogs