Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Should you fear your office scanner/printer? How about your post office?
A second wave of new but related IKARUSdilapidated Locky ransomware attacks has occurred, building on the attacks discovered by the Comodo Threat Intelligence lab earlier in the month of August 2017. This late August campaign also uses a botnet of zombie computers to coordinate a phishing attack which sends emails appearing to be from your organization’s scanner/printer, or other legitimate source and ultimately encrypts the victims’ computers and demands a bitcoin ransom.
The larger of the two attacks in this wave presents as a scanned image emailed to you from your organization’s scanner/printer. As many employees today scan original documents at the company scanner printer and email them to themselves and others, this malware-laden email will look very innocent.
The sophistication here includes even matching the scanner/printer model number to make it look more common as the Sharp MX2600N is one of the most popular models of business scanner/printers in the market.
This second wave August 2017 phishing campaign carrying IKARUSdilapidated Locky Ransomware is, in fact, two different campaigns launched 3 days apart. The first (featuring the subject “Scanned image from MX-2600N”) was discovered by the Lab to have commenced primarily over 17 hours on August 18th and the second (a French language email purportedly from the French post office featuring a subject including “FACTURE”) was executed over a 15 hour period on August 21st, 2017. Each continued beyond those surges but in much lesser quantities.
These malware authors are evolving and changing methods to reach more users and bypass security methods.
Both English and French language phishing approaches are used in these two new attacks which were launched from, and impacted, numerous countries around the world.
Interestingly, 27% of the 54,048 IP addresses used in the “Scanned Image” attack were also used in the first IKARUSdilapidated Locky attacks on August 9th-11th, 2017 and the top source countries of the of the botnet “zombie computers” remained the same: Vietnam, Turkey, India and Mexico. Considering some of the computers taken over in early August were Internet Service Providers (ISPs), it is a bit surprising that the vulnerabilities were not addressed in the week+ since the first attack and botnet takeover.
ISPs in general were co-opted heavily in this attack which points to both the sophistication of the attack and inadequate cyber-defense at their endpoints.
The French language attack (see below) presents as a “FACTURE” message which translates to a BILL or BILLING inquiry from a laposte.net email address (which is a domain used by a popular French post office company).
17% of the IPs used in this attack were also used in the August 9th -11th IKARUSdilapidated Locky attacks, so the response to the takeover of those machines has been slow.
The Comodo Threat Intelligence Lab team (part of Comodo Threat Research Labs) was able to quickly verify the two new ransomware attacks via detections at Comodo-protected endpoints at the front edge of each new attack. As users clicked on the attachments in these innocuous emails, they were read as “unknown files,” denied entry to the infrastructure, and put into containment, where they were analyzed by Comodo’s machine learning-powered technology and, ultimately, by the lab’s human experts.
The Lab’s analysis of emails sent in the ‘Scanned image” phishing campaign revealed this attack data: 8886 different IP addresses being used from 127 different country code top-level domains maintained by the Internet Assigned Numbers Authority (IANA). The narrower “FACTURE” attack utilized 1657 different IP addresses from 74 country code domains.
As with the early August attacks, when the Lab team checked the IP range owners, we see that most of them are telecom companies and ISPs. This tells us that yet again the IP addresses belong to infected, now compromised computers (also called “zombie computers”). This campaign used a large bot network (or botnet), and had a sophisticated command and control server architecture.
The simulation of an internal scanner/printer, a second attack just a few days later, and the use of local language elements and a post office domain also continues the trend of increasing sophistication, organization and capability of new ransomware attacks and adds more credence to the call to act on the recommendation of security experts everywhere: “Adopt a default deny security posture” and thereby deny new, ‘unknown’ files entry into your IT infrastructure until you’re sure they are good, safe files.
“This first follow-up ransomware phishing attack so soon after the sophisticated August 9th-11th attack, showed us how dedicated they are at getting better at these types of attacks.” said Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL).
Orhan went on to say, “Botnets of compromised “zombie” computers from ISPs are a particularly effective means of attack for criminals to both scale their ransomware attacks and to broadly bombard specific targets in a short-burst type of campaign. The attacks were over so quickly that only preventative measures would have made any real difference. Detection and response would have been too late here.”
To read the new Comodo Threat Intelligence Lab Special Report on Part II of the IKARUSdilapidated Locky ransomware attacks, visit comodo.com/lab and simply enter your email address. You’ll get free access to Part I and II of this Special Report as well as all Weekly and Special Update videos from the Lab.
Tags: Comodo Threat Intelligence Lab,IKARUSdilapidated Locky ransomware,ransomware
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Rapid technological growth and increasing digitalization in all aspects of life around the world have increased the value of ensuring cyber-security at all levels. This is increasingly true for EU member states and the organizations that are based in or operate from these countries. The number of cyber-attacks targeting EU member states has risen. The…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats