A newly uncovered strain of malware called cuteRansomware launches from a Google Doc to host the decryption key and command-and-control functionality.
The Netskope research team detected the maliciousness when it noticed that a user with a GitHub account “aaaddress1” had published source code for a ransomware module based on C# called “my-Little-Ransomware.” It turned out that a security researcher at AVG had also spotted a malicious modified Chinese version of my-Little-Ransomware and dubbed it “cuteRansomware” because of the mutex name used by the original author.
Although it seems to be a basic ransomware created by modifying the my-Little-Ransomware source code, the use of cloud services like Google Docs may be a signal about attacker intentions to use cloud services in the future; and in fact, they will abuse cloud services not only for storing keys but also for their command-and-control (C&C) communications.
“As we know, Google Docs uses HTTPS by default and the network data transmission over SSL can easily bypass traditional security solutions such as a firewall, intrusion prevention system, or next generation firewall,” Netskope said in an analysis. “We believe this is critical. As malicious actors make increasing use of the cloud for both delivering malware and exfiltrating data via command-and-control, traditional detection tools’ lack of visibility into SSL becomes a huge benefit to them. Additionally, the inability of traditional tools to look into SSL traffic of unsanctioned apps becomes important.”
Moreover, the use of a popular cloud app like Google Docs presents another challenge. For organizations using Google Docs as a productivity tool, it’s virtually impossible to block it outright.
“What makes cuteRansomware interesting is the use of a well-known cloud service provider as the command and control server,” said Travis Smith, senior security research engineer at Tripwire, via email. “This instance is using Google Docs to maintain the encryption and decryption keys for each victim. While unique, hosting the keys on Google Docs is a short-term solution. Once Google is notified, it’s likely the form controlling the keys will be taken offline.”
As with any piece of ransomware, it’s important to follow best practices.
“This highlights the importance of detecting malware in cloud apps, and not just in the sanctioned ones, but the unsanctioned ones as well,” the Netskope team said. “It also highlights the importance of anticipating such an attack by identifying where your sensitive content is in the cloud and ensuring that you have backups of those important files.”
Photo © denizen/Shutterstock.com