Game of Thrones isn’t just a global phenomenon for us non-criminal types—apparently winter is here on the Dark Web too. The most recent variant of the Locky ransomware uses personae from the global hit to add unpredictability to its ransomware delivery process.
“Global news, geopolitical happenings, and pop culture all influence the choices attackers make and how they express themselves in the qualitative elements of their attacks,” said Victor Cornell, researcher at PhishMe, in a blog. “The names given to variables, servers and files used in attacks are just a small subset of the ways that online criminals express themselves and, in the process, reveal a little bit about their preferences and personalities.”
Lightweight script applications designed to deliver malware often use rotating or pseudorandom variable names to ensure that the malware delivery tools look unique. No word on whether the Locky masterminds are in the Cersei or the Dany camp, but when examining the Visual Basic scripting used to deliver the Locky ransomware, researchers found that many of the variables (some misspelled) refer to characters and events from GoT, including Sansa Stark, John Snow and even “hold the door”.
The runtime for this script is indifferent to the variable names,” Cornell said. “The variable names could be anything, including completely random combinations of letters and numbers. However, the criminals responsible for this attack chose a distinctive theme for their variables, thereby revealing their interest in this pop-culture phenomenon.”
Phishing attacks are distinctive on the global threat landscape as an attack methodology that seeks to exploit the proclivities and behaviors of the people within an organization, he added.
While tidbits such as these may not completely change the tide in favor of security professionals, they serve as encouragement to consider attackers as humans. By humanizing attackers, network defenders can begin to deconstruct the tactics, techniques, and procedures they use and anticipate the ways those methodologies might evolve.
“It is only fitting that phishing threat actors would reveal their own tendencies and preferences as humans too,” said Brendan Griffin, threat intelligence manager at PhishMe, via email. “And this may actually help security professionals – by humanizing attackers, network defenders can begin to deconstruct the tactics, techniques, and procedures they use and anticipate the ways those methodologies might evolve.”
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/