Trustwave and Forcepoint are tracking the evolution of Carbanak through the gang's use of legitimate Google services. They're also following Carbanak's expansion of its target set from financial services to the retail and hospitality sectors.
There's a fair amount of extortion news at week's end. Ransomware criminals who've been hitting Elasticsearch and MongoDB databases have begun to devote similar attention to CouchDB and Hadoop. The tools for attacking MongoDB and Elasticsearch, as well as a list of vulnerable installations, are now being sold by "Kraken0" on the black market for about $500. Elsewhere in the criminal souks, Satan ransomware-as-a-service is being offered to criminals who lack the time, resources, or technical chops to come up with their own attacks. They offer a wizard to walk aspiring crimelords through the process. (Bleeping Computer has the details through researcher "Xylitol.")
Fortinet has discovered a new strain of Android ransomware that targets Russian-speaking users. It's unusual in at least two respects. First, its demand is very large—₽545,000, or about $9100—at least an order of magnitude more than the cost of the Android devices whose screens it locks. Second, it asks for payment by credit card as opposed to the customary cryptocurrency.
Locky ransomware makes a minor comeback, but may be on its way to supersession by Spora.
An unusually repellent extortion attack hits the Indiana cancer services not-for-profit Red Door. Back your files up.
There's apparently some big event going on about forty miles south of us today. What'd we miss?