KOVTER RANSOMWARE – THE EVOLUTION: From Police Scareware to Click Frauds and then to Ransomware

 
In terms of cyber security research, the Kovter malware family is very interesting. A wide-spread malware found in different parts of the cyber landscape, Kovter underwent extensive changes both in its purpose and in the methods it uses. During 2013, Kovter acted as a police ransomware. In 2014 and 2015, it conducted “click fraud” attacks. Now in 2016, it’s evolved again. However, this final transition appears hasty, revealing Kovter’s ransomware encryption as relatively simple and easy to break – it’s a quick way for hackers to make “extra” money once a system is infected. In all of its variations, Kovter retains its legacy capabilities, including listening to the ...

The Next Battleground – Critical Infrastructure

 
Cyber threats have dramatically developed throughout the years. From simple worms to viruses, and finally to advanced Trojan horses and malware. But the forms of these threats are not the only things that have evolved. Attacks are targeting a wider range of platforms. They have moved from the PC to the Mobile world, and are beginning to target IoT connected devices and cars. The news has been filled recently with attacks on critical infrastructure, causing the blackout in Ukraine, and the manipulation of “Kemuri Water treatment Company“ water flow. This threat can no longer be ignored. Critical infrastructure organizations such as power utility and water are critical, and ought to be ...

Check Point Threat Alert: Badlock Vulnerability

 
EXECUTIVE SUMMARY An elevation-of-privilege vulnerability exists in Microsoft Windows and the Samba interoperability suite for Linux & UNIX. Attackers could launch a man-in-the-middle-attack and downgrade the authentication level of DCE/RPC channels, allowing them to impersonate authenticated users. Check Point’s latest IPS update protects against this vulnerability with the “Microsoft Windows RPC Authentication Downgrade (MS16-047)” protection.     DESCRIPTION A vulnerability exists in Microsoft Windows and in the Samba interoperability suite for Linux & UNIX. An attacker could launch a man-in-the-middle (MiTM) attack and downgrade the ...

New Technologies Pose New Threats

 
Technology has changed our lives for the better; there is no doubt about it. However, it also introduced various risks into them. In fact, this is one of the most interesting things about technology: its effect depends on the people behind it. Sadly, alongside inspiring figures who move technology, and the world forward, there is always a group abusing it for the worst. We at Check Point are constantly studying new technologies (we are tech geeks after all). We do so to identify possible vulnerabilities and potential malicious uses, and build protections against them. Our mission is to stay one step ahead of malware developers. As part of our researches, we have recently encountered ...

Decrypting the Petya Ransomware

 
Petya is a relatively new ransomware variant that first appeared on the cyber-crime scene at the beginning of 2016. While Petya doesn’t have an impressive infection rate like other ransomware such as CryptoWall or TeslaCrypt, it was immediately flagged as the next step in ransomware evolution. Petya’s developers were not content with merely encrypting all the important files found on the victim’s hard-drive but also decided to hold the entire hard-drive’s content hostage by encrypting its Master-File-Table (MFT), rendering the entire file system useless until the ransom is paid. This is what caught the attention of our research group and made us decide to dive deeper into the ...

New Locky Variant Implements Evasion Techniques

 
Following Check Point’s recent discovery of a new communication scheme implemented by the Locky ransomware, our research teams decided to take a closer look at the inner workings of this new variant and map any new features it introduces. When Locky first appeared, we thoroughly analyzed its logic, like many other industry researchers. Our analysis showed that while not very sophisticated, Locky is a very efficient malware with a solid functionality and encryption algorithms. Judging by the amount of victim reports and detections generated by Locky in the past month alone, it is safe to say our observation was indeed correct. Locky’s major drawback is not in its code, but rather ...

Security Management for Critical Infrastructure Environments

 
The mission of protecting industrial control systems (ICS) is so vital that it cannot be left to just any security solution. Every day we expect water to flow from our faucets, our lights and electricity to work and traffic lights to move traffic along quickly and efficiently. Interruptions in any of these essential systems, even if only for a few hours, wreak havoc in our daily lives. One of the differences with critical infrastructure is that it includes two types of technology that don’t always work together seamlessly – Information Technology and Operational Technology. Because of this, providing security management for both without inhibiting the performance of IT and SCADA ...

Malvertising: When Advertising Becomes Dangerous

 
Over the last several months, the BBC, the New York Times, and other major news and commercial websites became victims of Malvertising attacks. What exactly is Malvertising? To understand this type of attack, we must go back to the malware basics. One of the most prominent ways malware spreads is by infecting websites and delivering drive-by attacks. When a user visits an infected site an exploit kit is activated. Once activated, the kit checks to see if the machine is vulnerable to one or more of the exploits it contains. If so, it leverages the vulnerability to install malicious software on the user’s device. Since this is a common threat, most websites harden their systems to ...

Qihoo 360: Just the Tip of the Whitelisted Malware Iceberg

 
The Check Point Mobile Threat Prevention team has long stressed how dangerous it can be to get apps from sources other than the Apple App Store and Google Play. Even with well-known third-party app stores the problem of security has become more obvious than ever. A great example of this is Qihoo 360, a Chinese company known for its anti-virus software and mobile apps store and that unintentionally whitelisted malware as part of a complex cyberattack. A complex attack straight out of a spy novel The attack itself was quite extensive: 1. White listing of malicious apps Cyber criminals bribed employees of a Chinese gaming company into including their malware among the legitimate apps ...

Ransomware: Cybercriminals New Attack of Choice

 
In recent years, we’ve seen banker malware as the most prominent threat in the cyber world. However, over the last six months there has been a major change in the cyber threat landscape. Banker malware has been replaced in many cases by the incoming wave of ransomware, which continues to attack users worldwide, severely impacting many organizations. The graphs below show this abrupt transition clearly.   Why the sudden change? Banker malware was profitable for attackers, even though security measures were vastly upgraded. To answer this question we offer the following explanations:   Easily target a broader audience. The first compelling data point is the very ...