Extortionists are busier than ever. This past week saw more reports on ransomware that corrupts files even if you pay the ransom, and DDoS attacks so powerful that usual defenses may be inadequate.
Brian Krebs reports:
One of the more common and destructive computer crimes to emerge over the past few years involves ransomware — malicious code that quietly scrambles all of the infected user’s documents and files with very strong encryption. A ransom, to be paid in Bitcon, is demanded in exchange for a key to unlock the files. Well, now it appears fraudsters are developing ransomware that does the same but for Web sites — essentially holding the site’s files, pages and images for ransom.
Read more on KrebsOnSecurity.com, where Brian also includes some info on backing up your system. One of the things he reports – and I’ve seen this elsewhere as well – is that there’s something about the new ransomware that even when you are eventually able to decrypt your files (assuming you pay the ransom), some of the files seem to be corrupted by the ransomware’s decryption. TheHackerNews also has more on the Linux ransomware Brian discusses.
Besides the ransomware threat this week, I am also seeing more about companies paying extortion demands to avoid massive DDoS attacks that are taking down web sites. A few days after ProtonMail announced that it had paid the extortion demands at the urging of its web host and other companies affected by the massive attack, a tweet from @CocaineSecurity suggested that Swedbank had paid an extortion demand to stop a DDoS attack. In a tweet on November 7, @CocaineSecurity wrote:
Thanks for the bitcoins! @Swedbank Nobody will now touch your website.
— CocaineSecurity (@CocaineSecurity) November 7, 2015
“Thanks for the bitcoins! @Swedbank Nobody will now touch your website.”
As of the time of this posting, there’s been no statement from Swedbank either confirming or denying the claim that they paid the extortion demand.
Update: Swedbank just responded to my tweeted inquiry about this by replying that they have not paid any ransom demand and have reported the individual to the police:
@PogoWasRight We haven’t paid anyone. We have reported the person behind this to the police. — Swedbank Sverige (@Swedbank) November 9, 2015
@CocaineSecurity quickly responded with its own tweet:
@PogoWasRight @Swedbank Wanna go down again? We do bite — CocaineSecurity (@CocaineSecurity) November 9, 2015
“@PogoWasRight @Swedbank Wanna go down again? We do bite”
Update2: Not all are DDoS attacks, it seems.
Update3: Paying ransom didn’t work. See ProtonMail DDoS wipeout: Day 6. Yes, we’re still under attack
Update4: Hushmail is also under DDoS attack. Runbox was hit over the weekend, but reports they are now functioning normally. VFEMail was also attacked.
I get the feeling that there will be more than this one update, laff. 😉
Is this the same group responsible for all the email hosts/providers going up and down like yo-yo’s?
I share your guess that there will be more updates. Not sure whether it’s the same group that hit ProtonMail. Can’t believe everything I read. 🙂
a provider called Zoho is also hit. Never heard of them before, but they claim to have 15M users. See, https://twitter.com/zoho
Makes me wonder if there is one main provider that resells their services (re-branded reselling) and if all these providers are interrelated?
Zoho states they are “facing a criminal cyber-attack”.
https://blogs.zoho.com/service-updates
They all seem to have started around the same time, which leads me to question if they are rebranded from one main company type thing…
Thanks for sharing the info. Since some of those being hits are Swedish sites/businesses uninvolved in email, it seems likely that there really are two different groups of attackers.
Likely. So just coincidence then.
Secure email providers are having a bad week.