Ransom-based malware attacks specific companies
Various security companies are today reporting targeted attacks made on Fortune 1000 companies over the weekend. What's notable is that documents within each of the affected companies were stolen, encrypted, then the companies were offered a decryption key for a fee. What's odd is that the amount requested as ransom was a mere $300.
Reuters reports companies hit by the attack include Booz Allen, Unisys, Hewlett-Packard and Hughes Network Systems. Security vendors report having identified hundreds more.
The attack works like this. Malware writers target a handful of companies, somehow manage to sneak their code past the corporate antivirus protection, then encrypt what the attackers consider to be significant documents. It's unclear whether the attackers have and are otherwise using the information in the encrypted documents. The attackers then send the companies a note explaining that the document is locked with RSA-4096. The ransom aspect of this attack tends to disguise the fact that companies were compromised in the first place.
Analysis by antivirus vendor Kaspersky finds no trace of RSA-4096 and suggests a weaker form of encryption was used instead. Also, the initial malware used to harvest and encrypt the files has a self-termination date of July 17th, suggesting this was a test run for something larger. Perhaps that's why they're only demanding $300.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
- Maybe this is necessary
- by qwerty75 July 17, 2007 1:57 PM PDT
- In order to get companies and organizations to take security seriously.
- Reply to this comment
-
-
- Or maybe it is not
- by zboot July 17, 2007 6:11 PM PDT
- Perhaps the company is too poor to afford full fledged security measures. Maybe they're too busy trying to survive to waste time teaching the guy who is chief engineer/receptionist/janitor/salesperson how to avoid unintentionally leaking information to corporate spies. Perhaps they don't have any IT friends who are willing to work for free. Maybe they believe one shouldn't need to be uber huge, have oodles of technical competence, or some other thing that I'm not typing - in order to compete online.
- View reply
Processing -
(5 Comments)Too many think that throwing security features at a network will save them.
Too many do not train ALL their employees in proper security practices, and enforce the rules.
And way too many think they are too small and insignificant to attract attention, so don't use anything more then the most rudimentary security practices, at best. These organizations get burned as often as the big boys.
I am not saying that this sort of thing is a positive thing, or that the attackers are acting in any sort of benevolent manner. But companies are always short-sighted and only look at profits today, they don't see the big picture especially if it is not a direct revenue generator.
They need to be hurt financially before they will take it seriously. It was the same way 100 years ago with low wages and low safety standards. They had to get hurt before they took proper moral and ethical actions. Businessman are the only subspecies of humans that never evolve.