Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
New Ransomware, Botnet Threat: IKARUSdilapidated Attack is August ’17 Locky Rebirth
A Special Update from the Comodo Threat Intelligence Lab
A new August 2018 ransomware campaign began on August 9th and is attacking unsuspecting users around the world. First detected by the Comodo Threat Intelligence Lab, this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations’ infrastructures.
Within just the first few days of the coordinated locky ransomware attack, tens of thousands of users were being targeted by a simple-looking email with an attachment and little to no content in the email body. The attachment is an archive file, with the name “E 2017-08-09 (580).vbs,” (for each email, “580” is an ever-changing number and “vbs” is an ever-changing extension).
The attached file names are similar, but the extension is a .doc, zip, pdf, or image file (a .jpg ,or tiff). The attachment actually downloads “IKARUSdilapidated,” the newest member of the “Locky” ransomware family. Named for the appearances of “IKARUSdilapidated” in the code string, it is clearly related to the “Ransom Locky” Trojan and shares some of its characteristics.
Social engineering is used to get the user to click and when the user does as instructed, the macros then save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions, including the common ones on most machines. After encryption, a message displayed on the user’s desktop instructs them to download the Tor browser, which is popular because it allows for anonymous browsing, and to then visit a specific criminally-operated web site for further information.
The web site contains instructions that demand a ransom payment of between 0.5 and 1 bitcoin (currently, one bitcoin varies in value between 500-1000 Euros) to release the now-encrypted files to (hopefully) decrypt their files.
Phishing and Trojan experts from the Comodo Threat Intelligence Lab (part of Comodo Threat Research Labs) detected these new “Locky” ransomware attacks and verified that they began on August 9th with more than 62,000 instances of phishing emails having been detected at Comodo-protected endpoints within just the first three days. The attachments were read as “unknown files,” put into containment, and denied entry until they were analyzed by Comodo’s technology and, in this case, the lab’s human experts.
The Threat Intelligence Lab’s analysis of the thousands of emails sent in the phishing campaign revealed this attack data: 11,625 different IP addresses in 133 different countries are being used to perform this campaign. The countries housing the most attack servers are Vietnam, India, Mexico, Turkey, and Indonesia.
The team checking the IP range owners saw that most are telecom companies and ISPs. This indicates that the IP addresses belong to infected, now compromised computers (also called “zombie computers”). This quantity of servers can only be used for a specific task if they are formed into a large bot network, or botnet, and have a sophisticated command and control server architecture. This means the description of the elements of this August 2017 malware attack now includes the term “botnet,” in addition to ransomware, Trojan, and phishing attack.
It also shows the increasing sophistication, organization, and size of new ransomware attacks and adds more credence to the call to act from security experts everywhere to “adopt a default deny security posture” and deny entry into your IT infrastructure to new, “unknown” files.
Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL), said, “This latest ransomware phishing attack that commenced on August 9th was unique in its combination of sophistication and size, with botnet and over 11 thousand IP addresses from 133 countries involved in just the first stage of the attack. When artificial intelligence couldn’t identify these unknown files, the full resources of the lab were needed to perform locky ransomware analysis to identify the code in the file and render a verdict; in this case the verdict was “bad” and we’ve now added it to our blacklist and malware signature list.“
Orhan went on to state, “Using ‘default deny’ security with containment of unknown files is what protected our users from this new ocky ransomware threat. Even ‘default allow’ plus the latest machine learning algorithms and A.I. would not have been sufficient to prevent infection.”
He added that botnets, like the one created in this attack, were particularly powerful weapons for criminals to use to scale their ransomware attacks and that by building on previous cyberattack Trojans like 2016’s “Locky,” it is getting easier to develop higher end ransomware that will not be recognized as “bad” by leading endpoint protection platforms.
Technical Analysis – A Deeper Dive
If you’d like to know more about this threat and dive deeper in the code and how the attack was deployed, read the new “Comodo Threat Intelligence Lab SPECIAL REPORT: AUGUST 2017 – IKARUSdilapidated.“ This special report and its appendix include:
This Special Report and the prior quarters’ Comodo Threat Research Labs Threat Report can be found in the Reports area at https://www.comodo.com/resources/
Reading Time: 4 minutes Overview One of thefirst times the public witnessedfirsthandand realized the power of ransomware was when WannaCry broke out in 2017. The government, education, hospitals, energy, communications, manufacturing and many other key information infrastructure sectors suffered unprecedented losses.Looking back, thatwas just the beginning, as there have since been many versions, such asSimpleLocker, SamSam and WannaDecryptor for…
Reading Time: 3 minutes Celebrate National Cybersecurity Awareness Month By Learning to Protect Against Ransomware Attacks It’s the season for pumpkin picking, leaves changing color, getting ready for Halloween parties and trick-or-treating. But ghosts and ghouls aren’t the only scary things you’ll be seeing this month: October is also National Cybersecurity Awareness Month, a time when business leaders and…
Reading Time: 3 minutes Two months have passed since the city of Baltimore was hit by the latest in a string of ransomware attacks targeting municipalities, and things still aren’t completely back to normal. The attack, perpetrated by an unknown cyber criminal, impacted over 10,000 municipal government-owned computers, and disrupted tax collection and city employees’ access to their email…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats