A new Koler ransomware campaign targeting U.S. users.
A new Koler ransomware campaign targeting U.S. users.

A new variant of the Koler ransomware targets U.S. users with fake Pornhub apps in its latest campaign, Bleeping Computer researchers discovered last week.

The latest campaign is only aimed at the U.S. while previous versions came with support for geo-targeting to display ransom notes in different languages based on a user's location, according to a June 24 blog post. 

Like many similar attacks, users are drawn in by visiting suspicious adult themed sites and are instructed to download the phony apps under the promise of adult content. Once downloaded, the malware uses clickjacking to hijack the user's tap to grant itself admin rights.

Koler then used the admin-level access to overlay its ransom note, disguised to look like and FBI warning of suspicious files on the user's computer, on top of the user's screen. Researcher said the screen lock can only be removed by booting the device in Safe Mode, removing the ransomware's user from the admin group and then uninstalling the fake app.

While it may be easy for security researchers to easily dismiss these type of attacks since people should know better than to download from shady sources, it's important for them to keep these attacks in perspective, Minerva Vice President of Products Lenny Zeltser told SC Media.

“Yes, one should not install any mobile app from an authorized app store,” Zeltser said. “However, let's remember that most non-techies don't understand the difference between one app store and another, and cannot distinguish between a legitimate and a malicious program.”

He said it instead would be more productive to consider how the security configuration of the endpoints can be strengthened to make it harder for people to damage their systems and establishing security controls that keep malware at bay without interfering with normal activities.

“The success of ransomware such as Koler, despite all the warnings not to click on untrusted links or download apps from untrusted sources, hinges on two main issues: that it only takes a small percentage of successes for the attack to be profitable for the attacker, and most users in the United States, especially, are less concerned about the potential damages,” AsTech Chief Security Strategist Nathan Wenzler told SC Media.

Many users ignore the real risks and liabilities that come with downloading apps or clicking on malicious links either because they don't care enough about what they store on their systems, or they see the potential upside (in this case, access to their PornHub accounts and content) outweighing whatever damage may be done, Wenzler added.

“Ransomware campaigns have employed techniques to evade traditional security defenses making it what can only be described as an arms race,” Acalvio Senior Director Abhishek Singh told SC Media. “There are estimates that the total damages due to ransomware will reach approximately $5 billion in 2017.”

Singh said it will be important for organizations to utilize a deception-centric solution to detect ransomware and its inherent advantages over traditional detection solutions.