New Ransomware Evades Machine Learning Security Software
Security software vendors are furiously introducing new products with increasingly sophisticated machine learning algorithms that can detect phishing scams and quarantine a message before it ever gets in front of a vulnerable end user to be clicked upon.
But a ransomware campaign launched Sept. 18 features a sophisticated new wrinkle to the phishing technique, enabling it to slip past many of the machine learning algorithm-based software sold by some of the industry’s most popular vendors, according to research by security firm Comodo.
The new attack strategy marks the latest escalation in the perpetual cat-and-mouse game being played by hackers and the security software developers trying to stay one step ahead of them.
“The method of phishing is by an attachment of an email; the attachment is disguised as a printer output, and it contains a script inside an archive file,” said Fatih Orhan, vice president of Comodo Threat Research Labs. “These are not enough to make a phishing detection.”
The third in an increasingly sophisticated series of ransomware attacks launched this summer is also a “Locky” malware variant dubbed IKARUSdilapidated by Comodo, though some other security vendors are calling it Diablo6.
As in previous attacks, the hackers are using a botnet of zombie computers linked through well-known IP addresses to send the phishing emails.
The emails are intended to convince an end user that the communication is from a vendor.
“The larger of the two attacks in this 3rd Locky ransomware wave is presented as a scanned document emailed to you from your organization’s scanner/printer,” Comodo researchers said in a report scheduled to be released Thursday.
An advance copy of the report was provided to MSPmentor in an effort to distribute the information as soon as possible.
“Employees today scan original documents at the company scanner/printer and email them to themselves and others as a standard practice, so this malware-laden email looks quite innocent but is anything but harmless,” the report continues.
It adds: “One element of the sophistication here is that the email includes the scanner/printer model number that belongs to the Konica Minolta C224e, one of the most popular models among business scanner/printers, commonly used in European, South American, North American, Asian and other global markets.”
But the most intriguing hook of the cyber attack involves the way the hackers manage to evade anti-malware software.
“Machine learning algorithms need to extract the attachment, open the archive, extract the script and understand it has a malicious intent,” said Orhan, the Comodo research head. “But usually, these scripts contain just a download component and do not have malicious intent on their own.”
“That’s why even machine learning is not sufficient in making these kind of detections,” he continued. “Complex solutions are needed to run the script dynamically, download actual payload, and perform malware analysis to conclude that it is phishing.”
Send tips and news to MSPmentorNews@Penton.com.