Malware News Sage: Innovative Ransomware with Style

[silversurfer]

A revised version of the Sage ransomware has hit the scene, earning style points with a bright user interface and interactive ransom note.

“In stark contrast to the drab payment sites used by many ransomware varieties, Sage presents users with a colorful, accessible and descriptive site,” said PhishMe researchers, in a blog. “The site explains the victim’s situation and provides instructions to regain access to their encrypted data.”

One interesting similarity between this edition and older ransomware is the reuse of a technique distinctive to the Cerber encryption ransomware: A Microsoft HTML application is presented to the victim as an interactive means of navigating to the payment site.

“This was an innovation used by Cerber encryption ransomware to create a more polished look and feel for their ransom notes by providing both dynamic generation of multiple pathways to accessing the ransom payment site as well as allowing for international accessibility with a multi-lingual ransom note,” the researchers said.

They added that the new Sage is designed to make paying the Bitcoin ransom easier by presenting the victims with a QR code that contains the Bitcoin wallet address used to collect the ransom. In addition, Sage v.2.2 incorporates a simplistic analysis evasion tactic by detecting the presence of commonly used malware research tools.

Interestingly, Sage asks for a $499 ransom—in sharp contrast to the leading Locky ransomware, which asks for about $1600.

“The overarching ransomware trend is clearly one that will not subside anytime soon,” PhishMe researchers said. “The criminal business model for ransomware has proven itself viable and profitable in both high-profile crises as well as in everyday attacks. The newest iteration of development upon the Sage ransomware demonstrates another example of the viability and willingness for malware writers to produce new and innovative ransomware tools.”

 

[Transhumana]

"Yeah, I got hit by ransomware as well, but at least my infection is stylish and posh, unlike yours which is sooo plain and pedestrian".

 

[Deleted member 65228]

Thanks for sharing @silversurfer You always share really interesting security news on latest malware attacks haha

"Yeah, I got hit by ransomware as well, but at least my infection is stylish and posh, unlike yours which is sooo plain and pedestrian".

"Sure I had to pay more for my files which encourages the malware authors as they make money but still the point is I am special because my infection was posh. Wow the UI was so nice"

 

[Transhumana]

Thanks for sharing @silversurfer You always share really interesting security news on latest malware attacks haha


"Sure I had to pay more for my files which encourages the malware authors as they make money but still the point is I am special because my infection was posh. Wow the UI was so nice"

"You can tell that those authors are really classy people with such sophisticated taste."

 

[Deletedmessiah]

So now we get to see "Improved User experience" in ransomware as well?

 

[mlnevese]

Soon we'll see ransonware with better UIs than some of the security softs out there...

 

[Deleted member 65228]

So now we get to see "Improved User experience" in ransomware as well?

These malware authors are really messed up. Psychological issues...

I've read articles where malware authors have been quoted in the past through interviews and what-not from security blogs, and seen some of them talk about how they do what they do to survive and what-not but do not enjoy harming people either and so on.

No one has to develop ransomware and use it to survive, there is a thing called a job centre which can help you get a job... And if you have the skill to develop decent, complicated ransomware (not just the script kiddie stuff using copy pasted code without a real understanding, but even threats like BadRabbit shows there is some real understanding) then you have a good chance of using your skill-set for a genuine high-paying job to help fight cyber-crime instead.

Fancy UIs will not appeal people to like them IMO. It is illegal, it disrupts peoples work and causes a lot of damage. A lot of the time, normal users hit with ransomware might not even have money to spend on getting a decryption key (also with no guarantee they will even get one back and paying the ransom just encourages malware authors more and is the reason why ransomware is still a thing).

If people put their foot down and just do not pay any ransom at all, it will discourage them more. But then we will go back to the days where it is all about destruction and not money, which is where the more dangerous samples come into play more (bootkits and virus infections would become more prevalent, rootkits with no real "purpose" of protecting actual threats will just be there to mess things up, etc.).

It is a cold world we live in, but I think we are all doing well because security is getting better and we are all learning more to stay adapted on how to protect ourselves against the latest techniques used by cyber-criminals. There needs to be more education in companies and school on staying safe online IMO.

At my college they teach people that "viruses" are the main threat, not "malware" in general. No talk of ransomware, rootkits, worms, banking malware, etc... Just viruses, even though they are not even prevalent anymore. This for example needs to change. Education needs to be bigger on cyber-crime in the world we live in today and tactics/tips on how to protect yourself in general (not just to prevent being infected, but to help prevent successful social engineering on you as an individual/data theft).

 

[Deleted member 65228]

rootkits with no real "purpose" of protecting actual threats will just be there to mess things up

Rootkits have a purpose to have good privilege (control) on the system and conceal/protect, but by "no purpose" I mean destruction and not money. Sorry, just wanted to correct myself

We can keep focusing on security and education but the bad guys will keep continuing to develop more and more... And they get better and better. There needs to be more guidelines influenced onto people about NOT paying ransoms and keeping backups to recover from ransomware infections (so they don't even need to pay if they would have insisted on doing so)

 

[Deleted member 65228]

Soon we'll see ransonware with better UIs than some of the security softs out there...

Rogue AVs... They will come back and become more prevalent again for sure. Bootkits weren't prevalent for awhile and then we got hit with Petya, NotPetya and now BadRabbit. Worms were dying down a bit (maybe?) and then WannaCry came around the corner with the spread functionality it did with stolen technology from a damn government agency.

You know in Batman: Dark Night Rises, there is the saying, 'There's a storm coming, Mr. Wayne. You and your friends better batten down the hatches'... Malware Authors aren't going to stop, so we need to ensure we keep becoming educated and help others who aren't become educated so when an infection like ransomware occurs, its backup time and no need to think twice about payment.

We can install whatever security software we want, or lock down our systems. But if we have bad practice and don't use ourselves to stay protected, then we will become infected. E.g. download malware thinking it is an update for Adobe Flash, white-list it after the execution is blocked, now run it and we are infected = we could have had security from 2050 installed but because of our own bad mistake of allowing the blocked object and running, we got infected anyway

Not sure if you heard about the verdict from the research on the stolen intelligence from government and Kaspersky. Turns out the contractor who had the sensitive files was using a keygen to help him pirate software which was embedded with malicious code for backdoor functionality, and disabled the security for X amount of time so it could be used. LOL

 

[mlnevese]

Rogue AVs... They will come back and become more prevalent again for sure. Bootkits weren't prevalent for awhile and then we got hit with Petya, NotPetya and now BadRabbit. Worms were dying down a bit (maybe?) and then WannaCry came around the corner with the spread functionality it did with stolen technology from a damn government agency.

You know in Batman: Dark Night Rises, there is the saying, 'There's a storm coming, Mr. Wayne. You and your friends better batten down the hatches'... Malware Authors aren't going to stop, so we need to ensure we keep becoming educated and help others who aren't become educated so when an infection like ransomware occurs, its backup time and no need to think twice about payment.

We can install whatever security software we want, or lock down our systems. But if we have bad practice and don't use ourselves to stay protected, then we will become infected. E.g. download malware thinking it is an update for Adobe Flash, white-list it after the execution is blocked, now run it and we are infected = we could have had security from 2050 installed but because of our own bad mistake of allowing the blocked object and running, we got infected anyway

Not sure if you heard about the verdict from the research on the stolen intelligence from government and Kaspersky. Turns out the contractor who had the sensitive files was using a keygen to help him pirate software which was embedded with malicious code for backdoor functionality, and disabled the security for X amount of time so it could be used. LOL

Yep. Kaspersky just did what it was supposed to do when detecting malware Anyway anyone who takes classified work home should be arrested...