- Jun 9, 2013
- 6,720
A newly uncovered strain of malware called cuteRansomware launches from a Google Doc to host the decryption key and command-and-control functionality.
The Netskope research team detected the maliciousness when it noticed that a user with a GitHub account “aaaddress1” had published source code for a ransomware module based on C# called “my-Little-Ransomware.” It turned out that a security researcher at AVG had also spotted a malicious modified Chinese version of my-Little-Ransomware and dubbed it “cuteRansomware” because of the mutex name used by the original author.
Although it seems to be a basic ransomware created by modifying the my-Little-Ransomware source code, the use of cloud services like Google Docs may be a signal about attacker intentions to use cloud services in the future; and in fact, they will abuse cloud services not only for storing keys but also for their command-and-control (C&C) communications.
“As we know, Google Docs uses HTTPS by default and the network data transmission over SSL can easily bypass traditional security solutions such as a firewall, intrusion prevention system, or next generation firewall,” Netskope said in an analysis. “We believe this is critical. As malicious actors make increasing use of the cloud for both delivering malware and exfiltrating data via command-and-control, traditional detection tools’ lack of visibility into SSL becomes a huge benefit to them. Additionally, the inability of traditional tools to look into SSL traffic of unsanctioned apps becomes important.”
Moreover, the use of a popular cloud app like Google Docs presents another challenge. For organizations using Google Docs as a productivity tool, it’s virtually impossible to block it outright.
Full Article. cuteRansomware Signals a Malicious Move to the Cloud
The Netskope research team detected the maliciousness when it noticed that a user with a GitHub account “aaaddress1” had published source code for a ransomware module based on C# called “my-Little-Ransomware.” It turned out that a security researcher at AVG had also spotted a malicious modified Chinese version of my-Little-Ransomware and dubbed it “cuteRansomware” because of the mutex name used by the original author.
Although it seems to be a basic ransomware created by modifying the my-Little-Ransomware source code, the use of cloud services like Google Docs may be a signal about attacker intentions to use cloud services in the future; and in fact, they will abuse cloud services not only for storing keys but also for their command-and-control (C&C) communications.
“As we know, Google Docs uses HTTPS by default and the network data transmission over SSL can easily bypass traditional security solutions such as a firewall, intrusion prevention system, or next generation firewall,” Netskope said in an analysis. “We believe this is critical. As malicious actors make increasing use of the cloud for both delivering malware and exfiltrating data via command-and-control, traditional detection tools’ lack of visibility into SSL becomes a huge benefit to them. Additionally, the inability of traditional tools to look into SSL traffic of unsanctioned apps becomes important.”
Moreover, the use of a popular cloud app like Google Docs presents another challenge. For organizations using Google Docs as a productivity tool, it’s virtually impossible to block it outright.
Full Article. cuteRansomware Signals a Malicious Move to the Cloud
