From our headquarters in Prague, Czech Republic to our offices in the USA, Germany, China, and South Korea, all of us at Avast Software wish you love, laughter, and peace in 2015. Looking back on 2014, we are grateful for the trust that our 220 million customers have placed in us. We thank you for […]
During the Christmas holidays, my mother received this email from a well-meaning friend. Since her daughter works for the most trusted security company in the world, she immediately asked me about the authenticity of the message. Here’s the email: Subject: VIRUS COMING ! Hi All, PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS! You […]
Earlier this month, as the Sony Entertainment breach was making headlines, Sony’s PlayStation Network (PSN) was knocked offline due to an alleged hacking attack. On Christmas morning, just as kids everywhere were unwrapping their new PlayStation and Xboxes, the PSN and Microsoft’s Xbox Live network were both disrupted leading to speculation that they were once […]
2014 has been an active year for cybercrime. Let’s start with the most recent and then take a look at some of the other important security events of the year. State-sponsored espionage We are ending the year with the most publicized and destructive hack of a major global company by another country – now identified […]
Mobile spyware authors market their products as legitimate, but the software’s secretive nature give stalkers, thieves, and abusive partners the means to spy on their victims’ every move.
Read More
South Korean banks have been attacked by hackers again! This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part […]
Significant spike in malicious spam emails containing links, as attackers move away from attachments in their efforts to spread Downloader.Ponik and Downloader.Upatre.
…
HP TippingPoint Advanced Threat Appliance family includes Trend Micro Deep Discovery for breach detection
The holidays are here and many are opting to shop online for their holiday gifts, whether it’s to avoid the crowds or because time is running out. Online shopping is a convenient option, everything is almost guaranteed to be in stock, there are no lines and your purchase gets delivered to your doorstep. But, can […]
summary
Ransomware is nothing new to Japan. Symantec’s research has found that Japan ranks among the regions that are the most affected by global ransomware attacks. However, no attacks specifically targeting Japanese users have ever been confirmed. That is, until now. In the recent weeks, Symantec has observed a ransomware variant in the wild that was designed to target users who speak Japanese.
Figure 1. Ransomware attacks in November 2014 by region
The ransomware threat in question is a localized variant of TorLocker. The malware encrypts files with certain file extensions on the compromised computer and demands that the user pays in order to decrypt the files. Symantec has confirmed multiple variants of this particular Japanese ransomware threat.
TorLocker has been used in ransomware attacks around the world. The threat is part of an affiliate program, where the program’s operator gives participants the builder to create custom ransomware, access to the TorLocker control panel to track infections, and miscellaneous files to be used in conjunction with the malware. In return, the participants give a portion of the profit from the attack to the affiliate program’s operator.
Infection
The localized variant’s attacks on Japanese users have occurred on compromised websites that commonly host blogs. However, it is also possible that the attacker is renting an exploit kit to automatically compromise victims’ computers by exploiting software vulnerabilities. In one case, a recently compromised site owned by a Japanese publishing company redirected traffic to several domains hosting the Rig exploit kit. This may have ultimately served the ransomware as a payload.
In another case in late November, a blog site was compromised to display a fake Adobe Flash Player installer page.
Figure 2. Fake Adobe Flash Player installer page
If the user clicks on the yellow install button, they are prompted to download and execute a setup file to install the plugin. However, the file does not contain the typical icon used in Flash Player installers. The file is not digitally signed either, which suggests that the installer is a phony.
Figure 3. Icon of the installer downloaded from the fake Flash Player page
Once the setup file is executed, it does not install Flash Player. Instead, it encrypts certain files and displays a message in Japanese in popup window, stating that the computer has been locked. The message then asks the user to pay in order to unlock their files. The demanded ransom ranges from 40,000 yen to 300,000 yen (approximately US$500 to US$3,600).
Figure 4. Pop-up window of the TorLocker ransomware variant targeting Japanese-speaking users
Stay protected
Japan is approaching its week-long New Year holiday. The long break is a perfect opportunity for the attacker to perform its campaign, as many users will likely surf the internet during the time off. Symantec has the following recommendations to avoid or mitigate ransomware infections:
Symantec and Norton products detect all of the ransomware variants discussed in this blog as Trojan.Cryptlocker.