Your browser is obsolete!

The page may not load correctly.

Encrypt everything

Закодировать всё

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

Think globally, act locally

Read: 31841 Comments: 2 Rating: 9

Thursday, July 27, 2017

Caution! When M.E.Doc accounting software is updated, encryption ransomware gets in and encrypts data.

Seemingly everything is quite clear: a site has been compromised and is now hosting malware, or a man-in-the-middle attack has occurred, or a resentful employee has taken revenge on their colleagues. But in reality, it's not that simple. Let's figure out what’s going on here.

Hundreds of systems were compromised, but 96% of them belong to Ukrainian companies.

Malware descriptions often indicate that a program doesn't operate on machines residing in certain countries. And many people assume that happens because the malware writers involved are noble hackers. But that’s not true.

  1. Malware is often used to help criminals convert illegal money into cash. How and where can they find a network of droppers (people who will withdraw their stolen money)?
  2. All transactions involving banks overseas are usually monitored rigorously by the corresponding government agencies engaged in fighting corruption and money laundering.
  3. However, an investigation involving organisations from other countries requires coordination with the law enforcement agencies of the respective states and thus takes much more time than catching criminals on home soil.
  4. By reducing the number of countries in which a malicious program will operate, attackers also reduce the probability it will be detected. If the target list is narrowed down even further to include only specific categories of computers, the risk of detection will decrease even more, and the media is less likely to be interested in incidents involving that malware strain.

In our case, all the machines targeted were used by accountants, which means the Trojan is targeting the corporate segment.


This message is left on the hard drive after data has been encrypted

It is also interesting how the spreading technique used by a certain malware species affects its popularity with the media.

One hundred thirty-five infection incidents were registered as of May 19, and 95% of them involved Ukrainian computers. Meanwhile, according to MalwareHunter, in Russia only 30 incidents involving WannaCry, which managed to attack over 200,000 hosts across the world, were registered. This means that XData's rate of spread was four times higher.

Four times as many infections and no panic attack in the media? Well, there’s a reason for that. WannaCry (Trojan.Encoder.11432) primarily targeted home PCs and machines belonging to large companies and didn't pay much attention to small businesses. Meanwhile, Trojan.Encoder.11526, which we discuss in this issue, focused on different companies, and the result is quite obvious.

As a result, many malicious programs are designed to work with banks located in one country—the country in which droppers will be withdrawing money from cash points. Naturally, in Russia, too, there exist Trojans intended to target, for example, Chinese users, but they are of no use to money collectors since they would only draw unnecessary attention to themselves.

Information about the malware began to emerge on the Web on May 18, 2017, the day after the update for M.E.Doc was released. On that very day, accountants in Ukraine installed the latest update. As a result, the software M.E.Doc was corrupted on machines infected with XData. This coincidence led some people to believe a connection exists between the malware's activity and the application.

"No updates for M.E.Doc were available. Last night the machine was operational, but in the morning it didn't boot up", reported an administrator at a company whose machines were compromised.

Perhaps, great timing made this attack so successful. If an update is released for a popular application, it is then installed on huge numbers of computers, and the activity of another program may go unnoticed. Clever!

But the most important question about the Trojan is: how does it spread? How exactly does it manage to sneak into a system and remain undetected?

A lack of control over events in a local network is one major security problem. As a result, not only does the penetration remain undiscovered, the malicious modules facilitating the intrusion also go undetected.

#encryption #Windows #ransom #extortion #Data_Loss_Prevention #decryption #trojan #encryption_ransomware #anti-virus_updates #security_updates #trojan_Encoder

The Anti-virus Times recommends

  1. Update your anti-virus before updating any other applications.
  2. Users must not be allowed to download executable files.
  3. User permissions need to be restricted. This reduces the risk of data loss. Only certain users should be allowed to launch applications.
  4. If you do not use macros, disable this feature for documents.
  5. If you can't allocate separate computers for accounting and accessing email and the Internet, use different virtual machines to perform these tasks.
  6. A contact validation routine must be available to accounting staff so that no reminders from unknown senders are opened without validation.
  7. Important database files and other information must be backed up onto other machines and media regularly.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.