Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Comodo Threat Intelligence Lab discovered a new October phishing campaign with the infamous IKARUSdilapidated Locky ransomware payload, marking the 4th hybrid of this evolving 2017 threat.
The hackers use a botnet of “zombie” computers under their control to coordinate a social engineering-based phishing attack targeting businesses and individuals. Emails hitting tens of thousands of endpoints as “unknown” files bypassed malware signature-based IT security and even machine learning-based artificial intelligence tools.
The botnet has a social engineering aspect, with users receiving an email with the subject line “Supplemental payment”. As with the other three IKARUSdilapidated attacks from August and September, clicking the attachment ultimately encrypts the victims’ computers and demands a bitcoin ransom.
Here is a detail of an actual e-mail from the first day of the attack.
The targeted campaign ran primarily from October 11-13, 2017.
This malware is distributed with the “.asasin” extension and a Visual Basic Script (and has a “.vbs” extension). All four waves of the IKARUS dilaptidated attacks were designed with enough new code to fool security administrators and their machine learning algorithms and signature-based tools. The social engineering variations were interesting, aimed to fool the employees receiving the emails as well.
In the attacks, “.vbs” files are distributed via email. This shows that malware authors are developing variations to reach more users at firms that allow new, unknown files to enter their infrastructure through the endpoint. This unfortunately includes many firms in the F1000 as well as small- and medium-sized enterprises.
The victims here see the ransomware demand screen so familiar to the victims of the first three waves of IKARUSdilapidated Locky attacks during the summer and September.
Looking closer at one view of the ransom screen, you see that they invoke Wikipedia as a means for the victim to learn more about the encryption ciphers:
Here is a heat map of the October 11 attack, showing its global range.
Locations in India, Vietnam, Iran and Brazil were the primary recipients.
ISPs in general were co-opted heavily, which points again to both the sophistication of the attack and inadequate cyber-defense against new malware arriving at their endpoints.
Here are the leading range owners detected in the “Supplement payment” attack:
Here you can see a sample of the scripting, which is quite different than that used in the
September 2017 attacks.
Phishing and Trojan experts from the Comodo Threat Intelligence Lab (part of Comodo Threat Research Labs) detected these “Locky” ransomware attacks and verified that they began on October 11. More than 10,367 instances of phishing emails were detected at Comodo-protected endpoints in first three days. The attachments were read as “unknown files,” put into containment, and denied entry until they were analyzed by Comodo’s technology and, in this case of A.I.-eluding sophisticated new malware, Comodo Threat Intelligence Lab human experts.
The Lab’s analysis of emails sent in the “Supplement payment” phishing campaign revealed this attack data: 9,177 different IP addresses being used from 143 different country code top-level domains maintained by the Internet Assigned Numbers Authority (IANA).
Amazingly, when the Lab analyzed the sources and compared them to the IP addresses that participated in the last three campaigns, 546 of the same IP addresses were used along with 8,631 different IP addresses utilized in this attack. This is another sign of either under-resourced or inadequately trained IT security staff (or likely both).
“The attacks from these hackers will continue as long as firms continue to utilize the inadequate strategies and tools from legacy vendors.” said Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs (CTRL). “The unknown file problem is getting worse and we strongly encourage CSOs to reevaluate their “default allow” security posture and to evaluate next generation auto-containment and other isolation technologies which protect against new or newly malware like that used in these IKARUS Locky attacks.”
Want a deeper dive into the attack data? Check the new Comodo Threat Intelligence Lab’s “SPECIAL REPORT: OCTOBER 2017 – OCTOBER BRINGS 4TH WAVE
OF RANSOMWARE ATTACKS; “.ASASIN” EXTENSIONUSED FOR ENCRYPTED FILES” The Special Report is one of many included with a free subscription to Lab Updates at https://comodo.com/lab. It provides in-depth coverage of this attack, with more analysis and with appendices that include malware analysis and more detail on the sources and machines used in the attacks. Your Lab Updates subscription also includes Parts I, II, and II of the “Special Report: IKARUSdilapidated Locky Ransomware” series and also provides you with the Lab’s “Weekly Update” and “Special Update” videos. Subscribe today at comodo.com/lab.
NOTE FOR MEDIA INQUIRIES: If you’d like to speak with the Comodo Threat Intelligence Lab’s experts on this and the related threats and technologies, please contact: firstname.lastname@example.org
Ransomware Protection Software
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats