The CyberWire Daily Podcast 6.27.16
Ep 129 | 6.27.16

Ransomware: MIRCOP, Cerber, CryptXXX, Bart, TeslaCrypt (& the #95 car). Intel selling security unit?


Dave Bittner: [00:00:03:18] Ransomware hits NASCAR, and new variants of CryptX, MIRCOP, Cerber, Locky and Bart are reported. Some are describing the current wave as a global epidemic. Point-of-sale malware and checkout skimmers continue to bother the retail and hospitality sectors. Brexit watchers foresee a surge in Berlin's startup ecosystem. Intel is rumored to be exploring the sale of its security unit. Observers think the DNC was hacked by Russian intelligence, and speculation moves on to wonder what the Russians want to do with the US election. More DNC documents, by the way, are expected soon via Wikileaks.

Dave Bittner: [00:00:42:20] I want to take a moment to thank our sponsor E8 Security and remind you to visit To check out their free white paper, Detect, Hunt, Respond. It's going to give you the information you need to deal with the unknown threats in your network. The threats no one has ever seen before. E8 is going beyond legacy signature matching and human watch standing and they're hunting for these unknown threats, with machine learning and big data analytics. See what E8 has to say. Download the free white paper at We want to thank E8 for sponsoring the CyberWire.

Dave Bittner: [00:01:26:10] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday June 27th, 2016. Most of the hacking news to emerge over the weekend involves developments in ransomware. Circle Sport-Levine Family Racing, which races on the NASCAR circuit, revealed that in April they were hit with TeslaCrypt. The attack would have interfered with the Number 95 car’s competition in the Duck Commander 500, and so the company paid the $500 ransom to restore their files. Malwarebytes has since helped remediate the attack, and we now see the big M-for-Malwarebytes on the hood of Number 95.

Dave Bittner: [00:02:02:12] SentinelOne reports seeing a new CryptX variant—the malicious code as revised now defeats the free decryption tools that had worked against earlier versions.

Dave Bittner: [00:02:11:11] Avanan this morning released details on a Cerber email phishing campaign that has been discovered targeting Office 365 users. Microsoft began blocking malicious traffic last Thursday, and - as always - users should look to their backups and keep their patching up-to-date.

Dave Bittner: [00:02:27:11] Trend Micro notes some oddly self-righteous behavior from MIRCOP. The ransomware come with a Guy-Fawkes-mask bedizened screen, and it accuses victims of having stolen from what Trend Micro primly calls “a notorious hacktivist group.” The ransom demand is a very steep 48.48 Bitcoin. This is almost $29,000 at current rates, comparable to the higher end of the healthcare ransomware demands seen earlier this year. MIRCOP gives the victim a Bitcoin address and tells them to pay up. That’s it. The extortionists assume you’re familiar with Bitcoin transactions, and they don’t bother with the more detailed payment instructions most ransomware masters use. It goes without saying that the victims haven’t, in fact, stolen anything from the hacktivist-group-without-a-name. But the accusation seems intended to make the threat scarier, although whether it proves scary enough to induce people to cough up $29k remains to be seen. Perhaps the hacktivists over at Anonymous will look into this appropriation of the Guy Fawkes mask.

Dave Bittner: [00:03:28:15] We’ve seen the return of the Necurs botnet, back from this month’s temporary pause. AppRiver reports having seen Locky being distributed by the bots, and speculates that Necurs’ masters are preparing for a large-scale criminal campaign.

Dave Bittner: [00:03:44:05] Phishme warns of a new Locky sibling out and active in the wild. “Bart,” as they’re calling it, uses the same downloader as Locky - RockLoader - but unlike Locky, doesn’t depend on command-and-control for encryption or payment. Instead it stores files in password-protected zip files, and it uses a victim identifier and a Tor connection to facilitate payment. Its ransom demands are also higher than Locky’s - typically 3 Bitcoin, about $2000. Phishme does have some mitigation tools available.

Dave Bittner: [00:04:14:11] Kaspersky looks at these incidents and others and calls a global ransomware epidemic - we imagine that would be a pandemic. In any case, ransomware appears to be working, which is why it will continue to draw cyberspace’s Willie Suttons; that’s where the money is.

Dave Bittner: [00:04:28:09] As always, take precautions by backing up your data and avoiding reuse of passwords. We heard from the Johns Hopkins University’s Joe Carrigan about good password practices. We'll hear from him after the break.

Dave Bittner: [00:04:41:22] The prevalence of ransomware shouldn't induce us to forget the persistence of other forms of cyber-crime. Point-of-sale attacks continue, and one self-checkout vendor, Ingenico, offers a helpful side-by side comparison of real self-checkout card readers with bogus skimmers. KrebsOnSecurity has the photos up on his website, but the short take is this: the criminals’ skimmers are wider than the real terminals. They have to be in order to accommodate the skimmer within the plastic overlay.

Dave Bittner: [00:05:10:14] PandaLabs says it’s found about two hundred terminals infected with the PunkeyPOS. The malware’s known to have been in the wild since the spring of 2015, and it underwent an upgrade in April of this year. Most of the affected systems are in US restaurants and bars.

Dave Bittner: [00:05:25:03] Other, non-ransomware vulnerabilities and exploits are also being reported. Ben-Gurion University of the Negev’s Cyber Security Research Center and Telekom Innovation Laboratories in Berlin report that a flaw in Widevine EME/CDM enables viewers to bypass protections on content streamed through Chrome.

Dave Bittner: [00:05:46:15] Other researchers are discussing some obfuscated JavaScript malware - a Facebook comment tagging scam - being distributed through Chrome. And the scary-sounding Android exploit “Godless” now strikes many observers as less dangerous than initially thought. Users in India, however, ought to be on their guard - the malware seems endemic there. In industry news, as analysts and investors continue to think through the implications of last week’s Brexit vote, there’s little consensus as of yet. But a number of people think Europe’s tech startup center-of-gravity is likely to move to Berlin over the next couple of years.

Dave Bittner: [00:05:55:04] And the scary-sounding Android exploit “Godless” now strikes many observers as less dangerous than initially thought. Users in India, however, ought to be on their guard - the malware seems endemic there.

Dave Bittner: [00:06:07:13] In industry news, as analysts and investors continue to think through the implications of last week’s Brexit vote, there’s little consensus as of yet. But a number of people think Europe’s tech startup center-of-gravity is likely to move to Berlin over the next couple of years.

Dave Bittner: [00:06:21:01] Intel is rumored to be in talks with bankers to arrange the sale of its security unit. Intel Security was formerly known as McAfee, and it’s retained that name for some of its offerings.

Dave Bittner: [00:06:34:06] Last week’s talks about revisions to the Wassenaar cyber arms control agreement are reported to have developed in a more industry-friendly direction. Industry skepticism about the very possibility of controlling software exports remain however and we'll be following developments closely.

Dave Bittner: [00:06:49:04] Finally, at this point, few people are buying Guccifer 2.0’s claims to be a disinterested hacktivist who doesn’t much like Russians. The emerging consensus is that the DNC hack was indeed the work of Russian intelligence services (despite a flat Kremlin denial of involvement that goes beyond the non-denial denial issued by Russia’s embassy in Washington last week). SecureWorks says that Fancy Bear (that is, probably, the GRU) has also been prospecting military spouses looking for leads on US military deployments and operations. It’s also been looking into journalists critical of Russia and “activists” of unspecified but presumably unfriendly interests. Much speculation circulates that President Putin wishes to influence US elections. Did we mention that this is speculation? It's speculation. More stolen documents are expected soon via Wikileaks, so stay tuned.

Dave Bittner: [00:07:48:12] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:08:12:09] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, we've seen in many of these recent large scale, high profile, hacking cases where gobs of passwords have been released out into the public that people are still re-using their passwords across multiple services. This is a bad idea for a lot of reasons.

Joe Carrigan: [00:08:34:17] Right. A lot of times people reuse passwords for the sake of convenience and they might even use the same passwords on all the sites they access. It's a profoundly bad idea because even if your provider gets breaches, which happen all over the place. We see that happen every day. We hear about it all the time. Or even if your password is salted and hashed, and you're using a password that can be guessed or eventually is guessed, if you're using that on all your sites, for example your email site where that information may have also been leaked, well then guess what? Now your email account is also compromised.

Dave Bittner: [00:09:09:06] And yet people continue to do this and I think the reason is, is that it's easy, it's convenient and strong passwords can be hard to remember.

Joe Carrigan: [00:09:15:11] Absolutely, strong passwords are hard to remember. And as I've said before on this podcast and to many other people, I use a password manager to do that. I remember one very long password and I don't remember any other ones and all of my passwords to access any of these sites are all different, random 20-character passwords.

Dave Bittner: [00:09:37:14] But I think it's that extra step that gets in the way for people.

Joe Carrigan: [00:09:39:10] It is the extra step and even as I'm sitting here advocating for this, I'm telling you this and I'm thinking to myself, every time I need to log in to one of my accounts, I, ugh! I sigh and I go, there's a part of me that says I have to enter that password, I'm gonna mistype it at least twice. I know it's gonna take some time. And then there's another side of me that goes, hey shut up! You need to do this because this is what makes your password secure and keeps all the money from disappearing from your bank accounts.

Dave Bittner: [00:10:06:04] Yeah, it's important stuff. Alright, Joe Carrigan, once again thanks for joining us.

Joe Carrigan: [00:10:10:09] My pleasure.

Dave Bittner: [00:10:11:11] And that's the CyberWire. If you enjoy our daily look at cyber security news, we hope you'll help spread the word and tell your friends about our show. Our editor is John Petrik and I'm Dave Bittner. Thanks for listening.