‘Cute’ ransomware strain that hides in Google Docs could attack users from any cloud-based system
After being distributed to the PCs of unsuspecting victims via drive-by downloads, cuteRansomware uses a Google Docs form to relay details to the attacker, including RSA encryption keys and the name of the victim’s computer.
“Google Docs uses HTTPS by default and the network data transmission over SSL can easily bypass traditional security solutions, such as a firewall, intrusion prevention system, or next generation firewall,” explained Netskope’s Umesh Wanve in a blog post. “As malicious actors make increasing use of the cloud for both delivering malware and exfiltrating data via command-and-control, traditional detection tools’ lack of visibility into SSL becomes a huge benefit to them.
“Moreover, the use of a popular cloud apps, like Google Docs, presents another challenge. For organisations using Google Docs as a productivity tool, it’s virtually impossible to block it outright. To prevent this ransomware from using Google Docs, you need to be able to selectively block the specific app instance associated with this ransomware while allowing your sanctioned instance of Google Docs to continue working.”
The firm notes that cuteRansomware appears to be a modified version of another malware package named ‘My-Little-Ransomware’. This variant, which reportedly originates from China, is based on similar source code, but targets a smaller range of document types including .bmp, .png, .jpg, .zip, .txt, .pdf, .pptx, .docx, .py, .cpp, .pcap, .enc, .pem, and .csr.
Is any cloud-based system safe from ransomware?
More worryingly, Netskope also believe that any cloud-based system could be substituted for Google’s productivity suite, with Microsoft Office 365 targeted months earlier. According to Wanve, “traditional detection tools’ lack of visibility into SSL becomes a huge benefit” to attackers using cloud platforms as a means to inflict command-and-control data collection.
Netskope later explained to SCMagazine that ‘cuteRansomware’ appears to be primarily aimed at Chinese users and is “rather rudimentary in design”. Regardless, its use of cloud-based systems forms yet another incarnation of malware designed to hold people’s data hostage for money.
In June, Martin Lee, the technical lead of Cisco’s Talos Security Intelligence and Research Group, told IBTimes UK that malware is “taking kidnap and moving it into the 21st century.” He explained that while victims should not give in to any demands, the “temptation is always there. It’s that temptation and that change to the cybercrime model which is leading to [an] evolution in ransomware.”