2nd Wave of IKARUS Ransomware Attacks Uses Your Scanner/Printer, Post Office Billing Inquiry

September 1, 2017 | By Comodo

Should you fear your office scanner/printer? How about your post office?

A second wave of new but related IKARUSdilapidated Locky ransomware attacks has occurred, building on the attacks discovered by the Comodo Threat Intelligence lab earlier in the month of August 2017. This late August campaign also uses a botnet of zombie computers to coordinate a phishing attack which sends emails appearing to be from your organization’s scanner/printer, or other legitimate source and ultimately encrypts the victims’ computers and demands a bitcoin ransom.

Email Attachment

The larger of the two attacks in this wave presents as a scanned image emailed to you from your organization’s scanner/printer. As many employees today scan original documents at the company scanner printer and email them to themselves and others, this malware-laden email will look very innocent.

The sophistication here includes even matching the scanner/printer model number to make it look more common as the Sharp MX2600N is one of the most popular models of business scanner/printers in the market.

This second wave August 2017 phishing campaign carrying IKARUSdilapidated Locky ransomware is, in fact, two different campaigns launched 3 days apart.  The first (featuring the subject “Scanned image from MX-2600N”) was discovered by the Lab to have commenced primarily over 17 hours on August 18th and the second (a French language email purportedly from the French post office featuring a subject including “FACTURE”) was executed over a 15 hour period on August 21st, 2017.   Each continued beyond those surges but in much lesser quantities.

These malware authors are evolving and changing methods to reach more users and bypass security methods.

Both English and French language phishing approaches are used in these two new attacks which were launched from, and impacted, numerous countries around the world.

Interestingly, 27% of the 54,048 IP addresses used in the “Scanned Image” attack were also used in the first IKARUSdilapidated Locky attacks on August 9th-11th, 2017 and the top source countries of the of the botnet “zombie computers” remained the same: Vietnam, Turkey, India and Mexico. Considering some of the computers taken over in early August were Internet Service Providers (ISPs), it is a bit surprising that the vulnerabilities were not addressed in the week+ since the first attack and botnet takeover.

ISPs in general were co-opted heavily in this attack which points to both the sophistication of the attack and inadequate cyber-defense at their endpoints.

The French language attack (see below) presents as a “FACTURE” message which translates to a BILL or BILLING inquiry from a laposte.net email address (which is a domain used by a popular French post office company).

Message Plain Text

17% of the IPs used in this attack were also used in the August 9th -11th IKARUSdilapidated Locky attacks, so the response to the takeover of those machines has been slow.

The Comodo Threat Intelligence Lab team (part of Comodo Threat Research Labs) was able to quickly verify the two new ransomware attacks via detections at Comodo-protected endpoints at the front edge of each new attack. As users clicked on the attachments in these innocuous emails, they were read as “unknown files,” denied entry to the infrastructure, and put into containment, where they were analyzed by Comodo’s machine learning-powered technology and, ultimately, by the lab’s human experts.

The Lab’s analysis of emails sent in the ‘Scanned image” phishing campaign revealed this attack data: 8886 different IP addresses being used from 127 different country code top-level domains maintained by the Internet Assigned Numbers Authority (IANA). The narrower “FACTURE” attack utilized 1657 different IP addresses from 74 country code domains.

As with the early August attacks, when the Lab team checked the IP range owners, we see that most of them are telecom companies and ISPs. This tells us that yet again the IP addresses belong to infected, now compromised computers (also called “zombie computers”). This campaign used a large bot network (or botnet), and had a sophisticated command and control server architecture.

The simulation of an internal scanner/printer, a second attack just a few days later, and the use of local language elements and a post office domain also continues the trend of increasing sophistication, organization and capability of new ransomware attacks and adds more credence to the call to act on the recommendation of security experts everywhere: “Adopt a default deny security posture” and thereby deny new, ‘unknown’ files entry into your IT infrastructure until you’re sure they are good, safe files.

“This first follow-up ransomware phishing attack so soon after the sophisticated August 9th-11th attack, showed us how dedicated they are at getting better at these types of attacks.” said Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL).

Orhan went on to say, “Botnets of compromised “zombie” computers from ISPs are a particularly effective means of attack for criminals to both scale their ransomware attacks and to broadly bombard specific targets in a short-burst type of campaign. The attacks were over so quickly that only preventative measures would have made any real difference. Detection and response would have been too late here.”

To read the new Comodo Threat Intelligence Lab Special Report on Part II of the IKARUSdilapidated Locky ransomware attacks, visit comodo.com/lab and simply enter your email address. You’ll get free access to Part I and II of this Special Report as well as all Weekly and Special Update videos from the Lab.

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>