News | February 10, 2015

Alert From KnowBe4: New Ransomware Strain Encrypts Files From Memory

KnowBe4 CEO Stu Sjouwerman issued an alert to security professionals recently about a newly discovered piece of ransomware dubbed ”Fessleak” by security firm Invincea. The ransomware is Russian and delivers its malicious code straight into system memory and does not drop any files on a disk.That means almost all antivirus software is unable to catch this. The infection vector is malicious ads on popular websites that the cybercriminals are able to display by bidding on the ad space through legit ad networks.

"This particular strain is new and quite harmful as it takes advantage of file-less infections that can communicate through the TOR network," said Sjouwerman. "We are going to continue to see more and more ransomware this year and this is just the latest innovation.”

This strain can check to ensure the host is not running on a virtual machine to frustrate security researchers and analysts. For end-users, they might visit a major site on their lunch break like HuffingtonPost, Photobucket, CBSsports, or and check out someone's "Granny opening a new iPhone video", or "These are the Charlie Hebdo cartoons that terrorists thought were worth killing over" headlines. Clicking that one link is enough to get confronted with a full screen announcing all personal or business files, photos and videos have been one-way encrypted and to get them back you need to pay a ransom in Bitcoin.

The cybercriminals first set up a short-lived burner domain directing to a landing page where the exploit kit is hosted. Then they start real-time bidding for ads pointing to the burner domain. Once their bad ad is displayed on a popular website and users clicked on it, they would be redirected to the malicious domain which in turn infects their workstation.

The same gang is also using 0-day exploits for Flash Player, and is apparently able to change their malware on the fly to exploit the most recent vulnerabilities. Fessleak drops a temp file via Flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid Antivirus detection.

Sjouwerman makes a few recommendations to mitigate this type of attack:

  1. Backup, backup, backup and take a weekly copy of your backup off-site.
  2. Keep your attack surface as small as possible and religiously patch the OS and third party apps as soon as possible. Visit site for some additional help.
  3. Run a UTM and/or a good Proxy, block centrally rather than machine by machine. If that's not possible, install AdBlocker plugins for each browser.
  4. It is increasingly clear that effective security awareness training is a must these days. Once a year training for compliance does not cut it anymore. End-users need to be on their toes with security top of mind. Kevin Mitnick security awareness training combined with frequent simulated phishing attacks drops the employee Phish-prone percentage in 12 months from about 16 percent down to just over 1 percent.”

For more information, visit

Security Awareness training:

About Stu Sjouwerman and KnowBe4
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training (employee security education and behavior management) to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. KnowBe4 services hundreds of customers in a variety of industries, including highly-regulated fields such as healthcare, finance and insurance and is experiencing explosive growth with a surge of 427% in 2013 alone. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses.

About Kevin Mitnick
Kevin Mitnick is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecommunications devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and speaker, and has authoreIn cd three books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC.

Source: KnowBe4, LLC