Financial threats

Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data.

2016 was a tense and turbulent year in cyberspace – from the massive IoT botnets and ransomware to targeted cyberespionage attacks, financial theft, ‘hacktivism’ and more. Kaspersky Lab’s Review of the Year and Statistics provide a detailed review – you can read the Executive Summary here.

Between January and September 2016 ransomware attacks on business increased three-fold – to the equivalent of an attack every 40 seconds. With the ransomware-as-a-service economy booming, and the launch of the NoMoreRansom project, Kaspersky Lab has named ransomware its key topic for 2016.

Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books. Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape.

Our research shows that, over the last few years, the holiday period which starts on so-called Black Friday was marked by an increase in phishing and other types of attacks, which suggests that the pattern will be repeated this year.

The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold.

Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware.

In September 2016, we discovered a new version of Gootkit with a characteristic and instantly recognizable feature: an extra check of the environment variable ‘crackme’ in the downloader’s body. Just as interesting was the fact that we were able to gain access to the bot’s C&C server, including its complete hierarchal tree of folders and files and their contents.

Unlike the previously reported and now decrypted Xpan ransomware, this same-but-different threat from Brazil has recently been spotted in the wild. This time the infection vector is a more massively propagated malicious campaign relying on traditional spam email.

A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others.

In this article, we discuss how it is possible to take advantage of errors made in the implementation of a cryptographic scheme, and how mistakes by malware writers allow us to help users restore their encrypted data.

We discovered a new variant of a Brazilian-made ransomware, that is being used to infect local companies and hospitals, directly affecting innocent people, encrypting their files and asking to pay the ransom.

The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components.

After a successful infection, RAA executes its main task, i.e. encrypts the user’s files. However, it doesn’t stop there: some versions of RAA also include a Pony Trojan file, which steals confidential information from the infected computer.

In June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles. The story of Lurk gives some idea of the amount of work that has to be done to obtain enough evidence to arrest and prosecute suspects.