murks

Last night another ransomware called WCrypt hit the internet and made a big splash. It uses an old Windows bug that has been patched two months ago to spread in local networks. There's nothing special or interesting about it so far. What is interesting though is that it had a built-in kill switch. Correction: The "kill switch" was likely a sandbox detection mechanism. See this blog post by the guy who discovered it. A security researcher accidentally activated the kill switch by registering a domain he found in the code of the malware. I have never heard of such a kill switch before and it I got an idea.

I wonder why this kill switch was there in the first place, but I'll let others speculate on that point. What I am interested in is the mechanism itself.

The Double-Ransi

Here is what I call the "Double-Ransi". What if ransomware similar to WCrypt had a "life switch"? What if it would spread, using whatever means, if it could reach a certain domain? You might say: "Well, that's stupid, you could just disconnect from the internet". You are right, but humor me for a second, let's think this through.

Let's assume that our victim opens a email attachment and infects his machine. The malware could then check whether a certain domain is reachable. Let's say, for example, that domain is facebook.com. If facebook is reachable, it would do its thing, encrypt files, spread further. Otherwise it could just sit there and do nothing. Maybe check again after a while.

Now you might say that this changes little, this is only another kill switch that's even easier to trigger. You are right, and that's the point. The malware could clearly say: "Dear user, your files have been encrypted because facebook.com is online. Please ask facebook.com to terminate their services to prevent further infections." The idea here is to use this ransomware to create public pressure to shut down a particular domain. If the public pressure would be great enough for facebook to shut down even temporarily it would cause them a lot of damage. That however is very unlikely to happen. Alternatively network administrators, AV-software and ISPs could block access to the affected domain, the result would be similar. The next obvious step is to ransom the affected company. They could pay to disable the ransomware. Et voilà, a Double-Ransi, ransoming the infected users and the company relying on the "life switch" domain.

This scheme is probably not perfect, there may be ways around it, but I would be surprised if we wouldn't see something like this sooner or later. Tell me if you find a fatal flaw in this scheme.

Cloud Ransomware

This is rather obvious, but I wonder when we will see proper cloud ransomware. By that I do not mean regular ransomware that gets shared through a company dropbox. That would be nothing new, network shares have always been used to spread viruses. By cloud ransomware I mean ransomware that actually targets the cloud provider and encrypts entire servers or in some other way takes the entire infrastructure of a cloud provider for ransom. You might say that the cloud providers invest heavily in security, but there is no technical reason to make this impossible. There is however a big incentive to do it, simply because the potential damage and thus the potential ransom is huge. How to technically achieve this is hard to say in general. My bet would be that either control infrastructure or virtualization would be the target. The users wouldn't even need to notice. For the cloud provider it would be beneficial if the users were left in the dark, so they might be more likely to pay the ransom. Maybe this has happened already.