Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Would you be scared or at least anxious if you’d found a subpoena to the US district court in your email box? Most of the people definitely would. That’s exactly what the malicious attackers counted for when conducted this massive attack from Russia-based IPs with sophisticated and cunning ransomware payload.
Social engineering: faked authority cause real fear
3582 users became the targets of this malicious email disguised as “United States District Court” subpoena.
As you can see, the email consists of the whole bunch of social engineering tricks to convince the users to open the malicious attachment. Mainly, the perpetrators try to play on the emotional strings of fear, authority and curiosity to manipulate the victims. Installing this emotional-aroused state into the receivers’ minds is aimed to suppress their ability for critical thinking and make them act rashly.
Also, the email address of the sender is “uscourtgove.com”, which, of course, is faked but adds more credibility to the email. Having the password for the attachment strengthens the flavor of the mail solidity. The subject of email is “megaloman” and document attached is named “scan.megaloman.doc” and this match also adds some small touches of credibility. And threatening the victim with responsibility if she “fails to do for is bounden to you” (and the only way to find out that is to open the file in attachment) is the icing on the cake.
This blow-up manipulative cocktail is a potent tool to help the perpetrators to get what they want. So the risk for many people to fall prey to this scam is very high.
Now let’s see what happens if a user opens the file in the attachment.
The malware: first hides, then hits
Of course, it has nothing in common to subpoena. In reality, as Comodo Threat Research Labs analysts discovered, it’s a new variant of cunning and sophisticated Sigma ransomware that will encrypt files on the infected machine and extorts the ransom to decrypt them.
How Sigma ransomware functions:
What is special in this new variant of Sigma is that it requests the user to enter the password. Um… password for malware? Throughout it can sound weird, in reality it has the clear purpose: more obfuscation of the malware from detection.
But even if the user will enter the password, the file won’t run immediately. If the macros are turned off on the victim’s machine, it convincingly asks to turn them off. Notice, how this require fits into the whole attackers’ strategy: if it’s a message from the court it definitely can be a protected document, right?
But in reality the file includes a malicious VBScript that must be run to begin installing the malware on the victim’s computer. It downloads the next part of the malware from the attackers’ server, saves it to %TEMP% folder, disguises it as svchost.exe process and executes it. This svchost.exe acts as a dropper to download one more part of the malware. Then via a rather long chain of actions – again, for stronger obfuscation – it completes the malicious payload and runs it.
The malware looks really impressive with its variety of tricks to hide and avoid detection. Before running, it checks the environment for virtual machine or sandboxes. If it discovers one, the malware kills itself. It disguises its malicious process and registry entries as legitimate ones like “svchost.exe” and “chrome”. And that’s not all.
Unlike some of its close ransomware relatives, Sigma does not act immediately but lurks and makes covert reconnaissance first. It creates a list of valuable files, counts them and sends this value to its C&C server along with other information about the victim’s machine. If no files were found, Sigma just deletes itself. It also doesn’t infect a computer, if finds out that its country location is Russian Federation or Ukraine.
The malware connection to its Command-and-Control server is also complicated. As the server is TOR-based, Sigma takes a sequence of steps:
1. Downloads the TOR software using this link: https://archive.torproject.org/tor-package-archive/torbrowser/7.0/tor-win32-0.3.0.7.zip
2. Saves it to %APPDATA% as System.zip
3. Unzips it to %APPDATA%\Microsoft\YOUR_SYSTEM_ID
4. Deletes System.zip
5. Renames Tor\tor.exe as svchost.exe
6. Executes it
7. Waits for a while and sends its request
And only after that Sigma begins to encrypt files on the victim’s machine. Then ransom note will capture the poisoned machine’s screen.
And … finita la commedia. If the victim didn’t previously arrange to make backups, her data is lost. There is no way to restore them.
Protection: how to fight back
“Facing with malware so sophisticated on both sides, social engineering tricks and technical design, is a hard challenge for even security-aware users,” says Fatih Orhan, the Head of Comodo Threat Research Labs. “To protect against such cunning attacks you need to have something more reliable than just people awareness. In this case, a real solution must give 100% guarantee that your assets won’t be harmed even if someone takes the crooks’ bait and run the malware.
That’s exactly what exclusive Comodo auto-containment technology gives our customers: any arriving unknown file is automatically put into the secure environment, where it can be run with no single possibility to harm a host, system or network. And it will stay in this environment until Comodo analysts will have examined it. That’s why no one of Comodo customers has suffered from this sneaky attack”.
Live secure with Comodo!
Below are the heatmap and IPs used in the attack
The attack was conducted from 32 Russian-based (Saint Petersburg) IPs from the email Kristopher.Franko@uscourtsgov.com which domain most likely was created specially for the attack. It started on May 10, 2018, at 02:20 UTC and ended at 14:35 UTC.
Ransomware Protection Software
Tags: Ransomware attacks,Sigma Ransomware,Subpoena,ransomware
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Rapid technological growth and increasing digitalization in all aspects of life around the world have increased the value of ensuring cyber-security at all levels. This is increasingly true for EU member states and the organizations that are based in or operate from these countries. The number of cyber-attacks targeting EU member states has risen. The…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats