Android Ransomware Up to New Tricks

6932015855?profile=RESIZE_400xA new strain of ransomware has arisen in Canada, targeting Android users, and locking up personal photos and videos. Named CryCryptor by cyber threat investigators, it has initially been spotted pretending to be the official COVID-19 tracing app provided by Health Canada.  It is propagating via two different bogus websites that pretend to be official.   According to ESET researchers, one called tracershield[dot]ca.  Like other ransomware families, it encrypts targeted files.  But, instead of simply locking the device, CryCryptor leaves a “readme” file with the attacker’s email in every directory.

When a victim launches the app, it requests access to files on the Android device.   The selected files are then encrypted with a randomly generated 16-character key.   The targeted files include photos and videos.  Once encryption is complete, CryCryptor displays a notification that says, “Personal files encrypted, see readme_now.txt.” That readme_now.txt file is placed in every directory with encrypted files.  The developers attempted to disguise the project, called CryDroid, as being legitimate and claim to have uploaded the code to the VirusTotal service.

This type of bug, listed as an “Improper Export of Android Application Components,” occurs when an Android application “exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains,” according to MITRE.  Because of the bug in the app, any other app that is installed on the affected device can launch any exported service provided by the ransomware.

The service responsible for the file decryption in CryCryptor has the encryption key stored in shared preferences, meaning it does not have to contact any C2 (Command and Control) to retrieve it.  The service is exported without any restriction in the Android Manifest (security weakness CWE-926), means that it is possible to launch it externally.

CryCryptor, like other malware, is looking to take advantage of governments rolling out COVID-19 tracing apps to fight the pandemic.  The Canadian government officially announced the creation of a nationwide, voluntary tracing app called COVID Alert, due to be rolled out for testing in the province of Ontario in July.  The new ransomware family surfaced just a few days later.  CryCryptor is not the first malware to try and leverage fears of coronavirus/COVID-19 as a method of attacking smartphone or computer users.  Microsoft announced in May that it was tracking a massive phishing malware campaign that spread using malicious Excel spreadsheets promising coronavirus data.

What can you do to better protect your organization today?

  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Institute cyber threat and phishing training for all employees, with testing and updating with quarterly updates.
  • Manage, review and update file permissions and access for all employees.
  • Phishing is normally the first step in a broader attack campaign.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
  • RedXray customers can receive up to $100,000 in ransomware coverage at no additional expense to them.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.  Red Sky Alliance is in New Boston, NH USA.     We   are   a   Cyber   Threat   Analysis   and   Intelligence Service organization.    

For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com    

 

TR-20-197-001_Anroid Ransomware07142020.pdf

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!