New Ransomware Strain Evades Machine Learning Security Software

stus

alt text
Here is the latest tactic in the cat-and-mouse game between cybercrime and security software vendors. The bad guys have come up with new a ransomware phishing attack, tricking users to open what appears to be a document scanned from an internal Konica Minolta C224e. This model is one of the most popular business scanner/printer in the world. The emails are written to make the user think that the communication is from a vendor.

Basically, Locky is back with a vengeance and a whole new bag of evil tricks.

The campaign launched Sept. 18 features a sophisticated new wrinkle, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, said security firm Comodo.

“The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”

This is the third recent Locky attack

The third in an increasingly sophisticated series of ransomware attacks launched this summer is also a “Locky” malware variant dubbed IKARUS by Comodo, some other other security vendors are calling it Diablo6.

As in previous attacks, the hackers are using a botnet of zombie computers which makes it hard to block in spam filters.

“Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues.

The most innovative hook of this new feature involves the way the hackers manage to evade anti-malware software.

Here is how it evades machine learning

“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.”

“That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.”

In other words, it looks like that again the bad guys are ahead of your antivirus, whether that is traditional or machine-learning flavor.

What do you do when all filters have failed?

Your users still are and will remain your last line of defense, when all filters have failed. You need to create a human firewall. New-school security awareness training is the way to go. Join 13,000 KnowBe4 customers and keep the bad guys out of your network.

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will.

Get a quote now and you will be pleasantly surprised.

https://info.knowbe4.com/kmsat_get_a_quote_now

Warm regards, Stu

marcinozga

@stus said

What do you do when all filters have failed?

What do you do? You don't allow scanning to email, period. Email inboxes are not file stores. Most of these machines allow you to scan to SMB share. Users need to learn to use file shares for storing files, not their email clients.

scottalanmiller

@marcinozga said in New Ransomware Strain Evades Machine Learning Security Software:

@stus said

What do you do when all filters have failed?

What do you do? You don't allow scanning to email, period. Email inboxes are not file stores. Most of these machines allow you to scan to SMB share. Users need to learn to use file shares for storing files, not their email clients.

Or don't use paper, period.

wrx7m

@scottalanmiller said in New Ransomware Strain Evades Machine Learning Security Software:

@marcinozga said in New Ransomware Strain Evades Machine Learning Security Software:

@stus said

What do you do when all filters have failed?

What do you do? You don't allow scanning to email, period. Email inboxes are not file stores. Most of these machines allow you to scan to SMB share. Users need to learn to use file shares for storing files, not their email clients.

Or don't use paper, period.

That has been my quest since I got here... still fighting the good fight.

wrx7m

@marcinozga said in New Ransomware Strain Evades Machine Learning Security Software:

@stus said

What do you do when all filters have failed?

What do you do? You don't allow scanning to email, period. Email inboxes are not file stores. Most of these machines allow you to scan to SMB share. Users need to learn to use file shares for storing files, not their email clients.

I have only setup scanning to SMB shares, so I am hoping that I don't have to deal with this. But users always surprise you in new and horrible ways.