What is a ransomware attack?
Ransomware is a particularly nasty and scary form of malware that blocks and encrypts user data, which is then held for ransom. It can block access to your personal information, or threaten to disable your devices unless you pay for the password to decrypt and unlock your data.
This can be very profitable for online criminals, and there is no guarantee that users who pay a ransom will get full access to their systems again. Plus, if payment is demanded via credit card, for example, criminals may then have access to your card details, enabling them to commit further theft and fraud.
The rising threat of mobile ransomware
Last year, mobile ransomware infections increased by 33%., and it’s getting worse. McAfee says Ransomware was already up 118% in the first quarter of 2019. Most alarming was a rapid increase in the number of ransomware infections on mobile devices, up by a third when compared to the previous year. The U.S. was the worst affected by mobile ransomware, accounting for 63 percent of infections.
Ransomware that targets Android devices is becoming quite advanced in its complexity, especially compared to older ransomware families such as DoubleLocker.
At Allot laboratories, we discovered Android/Filecoder.C, which is a ransomware variant that uses both symmetrical and asymmetrical encryption. It’s particularly nasty because it spreads via SMS through the contact list of each victim.
Before encrypting the archives, Android/Filecoder.C sends a group of SMS messages to each person in a victim’s contact list. The text in each SMS message tries to trick the recipient into clicking a malicious link that will download and install malware, thereby creating new victims in a viral fashion.
According to some sources, this malware uses the same list of files related to the Wannacry ransomware attack. Known servers used by this malware are:
(The URLs have been changed in order to avoid “miss-clicking” on them.)
Just when you thought it couldn’t get worse…
A new type of “ransomware” has appeared called GermanWiper. Although initially focused on Germany, GermanWiper has been detected in other countries.
This “ransomware” differs from the others because, while regular ransomware encrypts files and threatens to delete them if the ransom is not paid, GermanWiper erases all files and demands a payment, pretending to offer a decryption key in exchange for the ransom, which is especially misleading and devious because user data is already “gone for good.”
But, actually, there’s nothing good about it. With almost twenty thousand detections every single day, ransomware is on the rise and doesn’t show any sign of slowing down.