ShurL0ckr, a variant of Godjue, eludes the built-in malware protection of cloud platforms.
ShurL0ckr, a variant of Godjue, eludes the built-in malware protection of cloud platforms.

A new strain of Godjue ransomware, dubbed ShurL0ckr, eludes the built-in malware protection of cloud platforms Google Drive and Microsoft Office 365, researchers at Bitglass found

And in tests using VirusTotal, the malware was detected by only seven percent of AV engines. 

ShurL0ckr, discovered by Bitglass and Cylance, the latter of which's AV engine successfully detected it, is a ransomware-as-a-service that operates in much the same fashion as Satan ransomware with hackers paying a percentage to the ransomware author after a payload that encrypts files on disk is generated and distributed.

“The notion that a specific malware family evades detection by antivirus tools is not surprising. Attackers continually find ways of getting around AV tools, due to the inherent weaknesses of any approach to detecting malicious software on the basis of previously seen patterns,” said Lenny Zeltser, vice president of products at Minerva Labs. “This is a reality for all times of AV solutions, regardless whether they employ AI or not. It's good to see that there's an increasing awareness of such limitations, since it leads to organizations considering how to expand their security architecture to augment baseline AV protection with additional countermeasures.”

ShurL0ckr Ransomware doesn't use any unusual advanced evasion or obfuscation techniques, but it's “the idea of targeting cloud applications (specifically enterprise file sharing) is what made ShurL0ckr a success in terms of infection,” said Meni Farjon, Co-Founder and CTO at SoleBIT Labs. “The sad truth is that today, most cloud services providers still do not supply advanced malware detection capabilities, thus making this vector a perfect choice for attackers who aims to infect corporate users on a massive scale.”

Bitglass said that 44 percent of organizations that were scanned had some form of malware in at least one of their cloud applications, with a third of corporate SaaS apps containing malware. The company noted that Microsoft OneDrive topped the list with an infection rate of 55 percent followed by Google Drive at 43 percent. Dropbox and Box tied it up at 33 percent.