Simplocker Gonna Get'cha

by lg0p89

Just like sharks smelling blood in the water, the fraudsters will always be around when there is money to be had.

This will continue to be a problem as long as consumers are click happy and don't Stop-Think-Connect (does that look familiar?).  People click, either at home - or much worse at work - on a link they think is legitimate.  Suddenly, and too late, they realize this was a fraudulent site.  As a result of their misfeasance, the person is told to pay a certain amount.  They can only hope they are given the correct key to unencrypt their drive(s) and are once again able to access their information.

As we get more accustomed to one form of this, it always seems to generate slight variations to be released into the native environment.  More ransomware has been in the news lately as this has occurred yet again.

The esteemed researchers at ESET have found the newest variation of ransomware that is beginning to run rampant.  It was coded for the Android OS and has been titled Simplocker.

Business Model

Too often, we limit our thoughts of ransomware and other assorted malware as simply a few knuckleheads trying to get a few dollars and move along.

This may occur in a limited portion of the instances.  However, there has been a change in thought and operations.  To have a clearer view of the motivation, one needs to remove the thought of the criminal aspect and look instead at the business aspect.  To the fraudsters, this is not right or wrong, moral versus immoral.  This is a business with a mission statement that boils down to their goal of bringing in more revenue.

Originally this started as Russian malware.

The "uh-oh" message was in Russian and the ransom had to be paid in Russian rubles or Ukrainian hryvnias.  The deviants, as the good business people they are, did not want to limit their target market.  This, after all, would be a poor business decision.  Think of it as if you were a retailer, for example.  Would you limit your business model to only Arkansas, or would you expand to other states and countries?  The natural and clear rationale was to expand.

As long as there is a market for the product (although this is unlawful) and the delivery channel is present, this is a natural progression.  The management of these people followed this same model and expanded their market.  It has moved to English speaking countries.  The notification has been changed to English and the ransom is now in U.S. dollars.

How it Works (To Your Detriment)

Once this precious piece of malware is loaded, it gains admin privileges.

It then shows the infamous ransom message on the screen.  This states, among other things, that your device is locked due to your illegal activities with the phone.  To unlock your precious device, you have to pay a certain amount, which so far has been up to $300.  It may even attach a photo of the user to the message, as taken by the phone's camera, ala Remote Administration Tool (RAT).  Once the user sees the picture of themselves holding the phone, they usually feel their stomach fall nine inches.

Another feature differentiating this malware and making it more fun to work with is that it encrypts compressed files on the SD card.  It also uses AES for the encryption.  It is notable in that the attack itself is complex, yet the encryption is not.  It would appear prudent to have a more robust encryption, however this is adequate.  It was also coded to gather information on the device itself, including but not limited to the model, operating system, and manufacturer.  This information is returned to the C&C server.  The curiosity with this is that malware of this type generally does not do this.  The coders are generally more concerned with the money or ransom and how to get that into their account.

Resolving the Issue

The quick and relatively painless resolution to this stressful situation would be for the user to quickly uninstall the malware.  The issue here is that the malware loads too quickly to do this.

The user can simply pay them and hope they are given the correct key to de-encrypt.  If not, they are out of luck and $300.  As a rule of thumb, it is strongly advised not to do this.  This may be the quickest method, in theory, to regain access to your data.  However, quick is not always good.  If the user ends up paying, they will be on the list for others to try to infect, as they will know the user has a disposition to pay to make the problem go away.  They may also not send you the correct key "by mistake" and demand another payment or two in order to send the "correct" info to decrypt.

ESET has a tool available to decrypt that would be helpful.  Also, the user could use the last backup and recreate the files worked on in the interim.

Ongoing Issue

With this malware, there is easy money involved.

All they have to do is send out their hundreds of thousands of automated emails to get someone to click.  People do click on these.  Although this number is not significant, it is money they don't have to do anything to earn.  The users and business devices will continue to be targeted.  The process will change ever so slightly as one attack is recognized and its definition placed in the anti-virus dictionary.  It may be modified enough so it is not recognized as malware for the latest version.  To decrease the user's headache and pressure in the chest after they see the ransomware message, the user needs to review what they want to click prior to doing it.

If not, there will be yet more pain coming down the pipeline.