Emails containing malicious links are spreading under the pretense that they offer access to updated versions of Google's Chrome browser. But instead of a new browser, victims are being directed to copies of a Ransomware variant known as Critroni (CTB-Locker).
However, while many see Ransomware as a serious risk, one threat intelligence and behavioral analytics firm disagrees – reminding business leaders that there are other, more important things to be concerned about.
Researchers at Malwarebytes reported on the Ransomware campaign Monday. The emails warn the victim that their version of Google Chrome is out of date. Instead of offering an attachment, the victim is instead asked to follow an embedded link to download a newer version of the browser.
Once the link is followed, the victims are redirected to a number of previously compromised websites to a landing point that installs Critroni, a Ransomware variant also known as CTB-Locker.
Ransomware encrypts the victim's files on the infected system and keeps them that way unless the ransom is paid. In the latest wave, the CTB-Locker ransom is 2 BTC (Bitcoins), or about $500.00 USD.
CTB-Locker started to gain traction in 2014. Like other Ransomware attacks, small businesses are often the hardest hit, due to poor security practices and large numbers of interconnected systems and file shares.
During its heyday, CryptoLocker targeted individuals and businesses, earning those responsible for the scams millions of dollars in ransom fees.
"The problem with ransomware is that while the active Trojans can be removed, it is much more difficult and sometimes impossible to recover the encrypted files," commented Malwarebytes' Jerome Segura.
Be that as it may, at least one expert doesn't see Ransomware as a major threat; and he used the latest developments for CTB-Locker as an example to make his point.
"Ransomware is just one vector of attack targeting our accounts and user communities, and quite honestly somewhat low on the threat list. While it’s annoying to have a single machine’s data lost, it only hints at the actions malicious actors can take once they’re on our system, and only touches on one vector, email," said David Swift, chief architect for threat intelligence and behavioral analytics firm Securonix, in a statement to Salted Hash.
"The number of client side attacks on browsers, anti-virus, Adobe, Java, and the common well know client applications are endless and relentless, and once the host is compromised, the data can be harvested and used in any number of nefarious ways is even more alarming."
Still, while dismissing Ransomware originally, Swift noted that the CTB-Locker campaign should teach two lessons to security watchers and business leaders, including the point that user education is mandatory for everyone, going so far as to suggest that it become part of elementary school education; and two, that users will do risky things and accounts will be compromised.
"We must find new ways to monitor our accounts for signs of compromise and misuse to protect ourselves and our networks from users that fall victim to the countless variants that target them every day," Swift added.
Swift has a point, but monitoring only goes so far.
In truth, most intelligence platforms would do little to prevent a Ransomware attack, unless it was staged from previously established locations and used previously known binaries. While spam attacks might be prevented by an intelligence feed, assuming that will always be this case is dangerous.
User awareness is the better bet when dealing with spam and the scams that come with them, such as CTB-Locker. After that, other mitigation and prevention measures can help too, such as controlled backups and recovery processes. Keeping with that line of thought, BleepingComputer has a comprehensive guide on CTB-Locker, including recovery steps, which is a highly recommended read.
The best defense for CTB-Locker and its variants is creating awareness within the organization and at home, as well as maintaining (and testing) backups that are rotated regularly, because nothing will stop a determined user from clicking a link or installing something when they've sat their mind to it.