Maher, Iran's Computer Emergency Response Team Coordination Center (CERTCC), has warned that 'Tyrant' ransomware is being distributed in the country via a compromised VPN app.
A modified version of the Psiphon VPN client app is being used to spread the ransomware infection, a variant of the DUMB code first seen back in January of this year.
The Farsi language ransom demand asks for just US$ 15 (£11) via either exchanging.ir or webmoney724.ir. There could be good reason for the ransom bar being set so low, if the Iran CERTCC alert
is anything to go by. As well as the encryption itself not always managing to encrypt anything, the alert reveals that "despite the fact that there are many changes in the victim's system registry, it is not able to maintain its functionality after rebooting the system."
According to someone claiming to be the author of the DUMB ransomware code it is based upon, AlphaDelta, should come as no surprise. "The fact that people are actually unironically using DUMB as a base for their ransomware is, well, pretty DUMB. It's not meant to be something workable into a legitimate ransomware" AlphaDelta said
in response to news of the alert.
Marco Cova, a senior security researcher at Lastline, said that it's "not surprising that users looking for security and privacy software are targeted; several years ago we observed similar attacks in the form of malware pretending to be anti-virus tools."
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that it isn't the first time he has seen VPN services containing malvertising or malware. "In Jan 2017 the CSIRO, University of South Wales and UC Berkley studied 234 VPN apps on the Google Play Store" Geenens explains "more than one third were found to be tracking users through malvertising or malware. In addition, 18 percent didn't even encrypt internet traffic."
Charl van der Walt, chief security strategy officer at SecureData, added that somewhere along the journey of commoditising VPNs the true value and purpose has seemingly been forgotten by some. "VPNs are now often seen by the enterprise and individuals alike as a catch-all security system that offers everything from confidentiality, anonymity and access control" van der Walt warns "essentially, they are used just enough to be dangerous."
The modified Psiphon apps spreading the Tyrant ransomware appears to be a new development, as far as Lee Munson, security researcher at Comparitech.com, is concerned. He insists it poses a risk to the enterprise if remote users are allowed to employ any VPN client of their choice. "Security-minded companies will not allow such an approach to remote connections" Munson told SC Media UK, concluding "instead they will provide one single universally-approved corporate VPN solution." As long as that solution is tested, updated and patched on a regular basis, the risk posed by VPN-based malware should remain low.
However, as Vince Warrington, founder of Protective Intelligence, pointed out to SC, the concern is that it takes previously trusted software, which the enterprise may well have advised their staff to use, and turns it into a means to deliver malware. This, Warrington says "fundamentally breaks the trust between the user and the IT department" and that trust will be "difficult to rebuild."