Ransomware to make money?

Ransomware can be used to make money, no hear me out. Ransomware as a vector to make money... no it is not what you think.
So the latest ransomware(s) are doing the rounds after the horror that was Wannacry, we now have Petya (sorry this went active months ago), NotPetya and GoldenEye all go active overnight. Petya has been around a while but the new ones uses the same vulnerability WannaCry did (EternalBlue), plus they now steal local credentials and re-use them to infect PC's across the network and world that use the same credentials, regardless of their patch level. These viruses have been seen on everything from Point of sale systems in the Ukraine to chocolate factories (seriously chocolate, do beer next and watch Australians find you, and tear you limb from limb).

Anyway, so ransomware often holds your files at ransom by encrypting them with a key only the attackers know. They ransom your files asking for payment in the somewhat untraceable Crypt-currency called bitcoin (BTC). Bitcoin can be traded in online markets for real money. Only issue is, they never get much. You can actually tell by looking at the digital wallets connected to the ransomware (amount as of 28/07);

Petya(original from March)   .0002btc US$0.50 (FAIL)
NotPetya 3.39btc ~US$9,000
GoldenEye 0btc US$0 (early days yet, and maybe the same wallet as NotPetya)
WannaCry had loads of wallets; First one 17.5btc ~US$45,000, Second one 19.75btc ~US$50,000, third one 14.4btc ~US$36,000. Total of around 150,000 in total earnings. Thanks to https://twitter.com/actual_ransom.

So why do they do this, they don't actually make an amount equal to the development time or disruption they cause. I've thought about this a lot. Surely there are better ways to make money. One virus (Adylkuzz) was recently found that also used the same vulnerability WannaCry did. However Adylkuzz sat silently on the PC it infected slowly infecting others... and mining a different Crypt-currency called Monero. Now that is a much smarter long term money maker.
Proofpoint have a good breakdown of Adylkuzz here and as of the 15th of May, likely only a few weeks into their virus mining crypt-currency, they had around US$50,000. This is important as the mining crypt-currency takes time. Sorry I can't link directly to the wallets, as Monero doesn't work like Bitcoin in this regard. They seem to be using lots of Monero wallets too, so they are likely making a lot more.

This mining by malware I thought was an interesting method, though it isn't making them millionaires it is still a slow steady source of money.

The Bitcoin wallets used for the ransomware don't seem to make much, not for the effort put in to code and distribute their malware. No the bad guys are performing, I think, a writ-large pump and dump scheme.
Bitcoin has gone from around US$500 a year ago to US$2500 as of writing this. It is slated to get to US$5000 by end of year. In fact if you look at the spikes they have almost always coincided with ransomware releases, some spikes have gone before the malware hit, perhaps indicating a buying frenzy of knowledgeable parties.

Care of Coindesk

Combine this with some companies speculatively buying bitcoin in case they get ransomware (as reported on the risky business podcast), and other people buying simply due to the value increasing and you have yourself a criminal led massive pump and dump scam.
The criminals probably bought and mined bitcoin years ago, and are sitting on it. They then pump the demand and thus the price up by doing these virus releases, selling them as ransomware as a service to unsuspecting clients... then the price rises and rises... then they sell out all their bitcoin. The market crashes... but they have millions. Better yet their bitcoin wallets are not in anyway related to the ransomware transactions so it becomes difficult to catch them, apart from the usual untraceable nature of bitcoin transactions.

So there you have it, don't play into their game... maybe, or if you do jump out before the bad guys dump out and kill the market, good luck with that.

Oh and protect yourself from this an all other ransomware by doing backups, not opening files from people you don't know, removing admin rights, making the admin password unique per machine, and maybe even rolling app white-listing into your environment.

In this particular instance;
Patch WindowsXP+ against MS17-010
Create the file c:\windows\perfc as per this
The LAPS tool from is free from MS and should be investigated and used to ensure unique passwords on all domain joined computers.
Add perfc.dat and PSEXEC.EXE to your app whitelisting to be denied as per https://twitter.com/HackingDave/status/879779361364357121

Big Wirus

Gather round everyone for a tale of woe.
So I loaned one of my many USB keys to Fiona to backup some of our photos to print at a BigW, Mt Gravatt to be precise. I had cleared everything off and handed it over to her to copy over the photos. We tried it in a local BigW (Mt Ommaney) on Saturday but couldn't find a station that worked properly, we managed to get a few photos printed, but Fiona kept the key to see if she could get them printed elsewhere.
Off she trotted to Mt Gravatt BigW on Monday after she dropped the kids at kindy, she printed out the photos and thought nothing of it. Wednesday night I decided I should move my files back, I plugged the USB key in and noticed among the photos a hiden autorun.inf... Not usual for me to have leave that there, a quick read of it in text editor let me see it was trying to run RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\driver.exe scanning the file with clamwin let me know it was Trojan.Poison-36 (it goes by other names, trojan.killav is Symantecs name) a nasty little phone home trojan that was only discovered recently (9/06/10), that uses the usual trick of infecting attached drives with the autorun.inf trick. It also then goes on to try and kill av programs and then once that is done download other malware, see here
I was safe due to my self inflicted draconian software restriction policy, and Fiona who had plugged it in to her laptop was safe due to it being an exe and her running Linux.
So I notified BigW back on the 30th, I think for something so little, I have given them reasonable disclosure. It is something they could have designed against, by using a software restriction policy, or simply making the USB devices read only via policy, or hey you know Antivirus that at least occasionally gets updated...
I was and still am tempted to put my own little exe and autorun on a key to see if the kiosks are still vulnerable, but Fiona has advised against it, my little voice of reason.
My problem with this issue, is that there seems to be little design that has gone into a system that thousands of people probably use a week, and little concern for users of these systems, how many people are going to get home and infect their systems, how many are going to not realise it was due to the dodgy kiosk they used and then blame the internert, Microsoft, or their kids. I am not a big fan of misplaced blame.

Not really much news here, viruses are a part of life. But with most modern USB keys no longer having the nice little feature of a read only switch, there is little you can do to protect yourself. You could try having an autorun.inf on your key that is marked read only, that may work unless the virus knows how to overwrite it.

Linux secure?

Oh my, read this; http://www.omgubuntu.co.uk/2009/12/malware-found-in-screensaver-for-ubuntu.html
Of course this is just the beginning, I saw this in the early days of windows, popularity means people want flashy yet lame screensavers so they go a hunting, see a banner ad that is flashing epileptically at the user that tells them their search is over, they click it and install a new theme for their cursor (I hate these), a day of the month screen saver, or a fancy toolbar which will let you know who is browsing your MyFaceTwitLinked page at any given time, and also automatically installs thousands of other applications you may like, hiding in these are some nice little bots. Of course on install it asks them for their password as it has to make system changes, it then puts a helper in roots cron and makes a new init.d daemon to keep it memory resident and its privledges elevated, heck maybe it even recompiles some binary that is used frequently with elevated privledges that checks all that other stuff is still good to go, something like the logserver or init
Then we Linux will have reached the popularity of windows, the weakest link will again be the user.
So in my humourous little story above I am trying to point out just cause it is safe now won't mean it will be forever. Windows is less and less about Worms that automatically get in without user intervention. Conficker was the last big one and MS had a patch out before it hit, so it was only slow patching that really let it spread. The rest of the viruses that are seen are delivered along with innocuous looking software, or at worst a drive by download that means a page is running something in the background that takes advantage of a hole in internet explorer to install something, these drive by downloads won't happen. But have a look at the top 15 http://www.net-security.org/secworld.php?id=8597 most common attacks and you will see Linux and Macs are susceptable to the lot, through misconfiguration or user error.
Don't get me wrong I am a big Linux fan-boi. If I had it my way Windows would be the struggling niche, Linux would have 96% market share, BSD 2% and macs wouldn't exist :P I think the ideal behind linux is very admirrable and scientific. Linux builds on what has come before it (usually) and because what has come before is open and readable this is fairly easy. "If I have seen further, it is by standing on the shoulders of giants." Sir Isaac Newton. To not build on what has come before is to repeat your predecessors mistakes.
There will always be flaws, till we write code that can write its own code it may eventually create something almost flawless, or one of its children will.
I think Linux allows for greater security, but also greater insecurity. Security is not where open sources power lies, it is its flexability.

Rickrolling has gone viral again

Now this story interests me on so many levels.
It has put Wollongong on the map again people. I'll admit I was raised in the Gong, so it is good to see someone even making notoriety that is from Wollongong. The last renowned intelligent export we had was Evelyn Owen or Sir Lawrence Hargrave (1939 and 1915 respectively) so it has been some time between.
I also dislike apple, there practices annoy me; there practice of dumbing down everything even the extremely technical is the same as dropping superfluous words from the English language to make it easier for speakers, we only need one word for cold right? They also stand on the shoulders of giants, yet give little recognition to those. Yes they made Unix "usable" (so did Linux without the pompousness), but try and find their references of gratitude to all their stolen code, or stolen ideas, nope. Apple have fallen down in the security world repeatedly, and this is a glaring example who sets the same password on every device when you can assume with pretty high certainty that people are going to attack it and find out your password, hence the unlocking.
The other reasons this is interesting is it is a virus that Rickrolls people, hilarious. Rickrolling is something I have done, and had done to me a fair few times, it almost always makes me smile. The other humorous point of this is the author is Ashley Towns, so the meme of Rick Astley is almost made for him.
Well if you own an iphone (hisss) then you can secure it against this virus here(a simple passwd to fix it), bear in mind that this virus will probably hang around for a few years like code red and slammer, funny stuff.