Australians have been targeted with a Breaking Bad-themed crypto ransomware.
The malware, detected by security firm Symantec, has adopted the mantle of “Los Pollos Hermanos”, a fictional fast food chain from the popular AMC television series and attempts to lock down any drive on the computer’s network.
According to Symantec, the malware encrypts images, videos, documents, and more on the compromised computer and demands up to $1000 to decrypt these files.
Symantec senior principal systems engineer (security), Nick Savvides, said the attack arrives through a malicious zip archive, that uses the name of a major courier firm in its file name.
“In the last two weeks we have seen a number of attacks that have used courier firms. If you look at the top five courier companies in Australia that are delivering consumer packages, they are the ones being used.
“These are very convincing sites and emails that have been set up to trick users.
“These are all crypto malware. That’s the big thing right now, we saw a massive rise over the last twelve months and this year is only going to be bigger.
Savvides explained that the Los Pollos Hermanos- themed attack initially asks for $450. It gives the infected user an approximate 24 hour deadline to pay this amount before the demand is increased to $1000.
“That’s around twice the size of the average ransomware demand. Typically we see demands for between $300 - 500, these guys are asking for a lot more.”
Symantec said part of the email address used in the extortion demand is based on a quote by the show’s protagonist, Walter White, who declared “I am the one who knocks.”
This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan). When executed, it downloads the crypto-ransomware onto the victim’s computer.
The threat also downloads and opens a legitimate pdf file to trick users into thinking that the initial zip archive was not a malicious file.
The malware encrypts files using a random Advanced Encryption Standard (AES) key. This key is then encrypted with an RSA public key so that victims can only decrypt their files by obtaining the private key from the attackers.
The ransom demand links to a legitimate video tutorial on how to obtain Bitcoins. Symantec said attackers did this to assist victims with paying the ransom.
Savvides said the most concerning thing about this particular attack was that the malware seeks to encrypt specific files and drives on a network.
“It is targeting user-generated files like Office documents, pictures, music, program installers, Photoshop, Illustrator and video files.”
He also said that the malware seeks to lockdown any drive that is attached to a network, such as network attached storage (NAS) or external hard drives.
“Without appropriate Cloud or non-network attached backups, people are extremely vulnerable and may have no choice to pay if infected.”
Savvides concluded that prevention was far superior to cure in the case of any malware. Appropriate backups and up to date security software were imperative to combat these crypto-ransomware attacks.