Kovter blackmail Trojan hunts for victims as CryptoLocker fades

Infections hit 40,000 per day in June, says Damballa

Infections caused by the innovative Kovter police blackmail Trojan continued to surge between May and June, security firm Damballa has reported. Could old-style police ransom attacks, once seen as past it, be on their way back with a vengeance?

In April daily infection rates detected by the firm were around the 10,000 mark, which rose to 25,000 in May before reaching 38,000 in June, representing a very decent hit rate for by malware standards. This kind of success could turn into hundreds of thousands of users in a matter of a weeks.

First recorded in 2013, Kovter eschews the complex encryption shenanigans of more famous extortion malware such as CryptoLocker and CryptoWall in favour of plain old embarrassment.

As with any police ransom/blackmail Trojan, a message is displayed to encourage payment but Kovter will also claim it has detected incriminating porn or other embarrassing activity after studying the victim's browser history. In the past it has even thrown up child porn images to induce more fear.

What seems to hit home is that Kovter can tailor the message according to what it has found, which makes it more convincing. The ransom demanded is often at the outrageous end of the scale, as much as much as $1,000 (£650) a pop. Paying this makes no odds - the malware's threats persist regardless of whether money is handed over or not.

Whatever else Kovter is, it is a step up in aggressiveness from the flood of police ransom malware that started this industry off around 2011.

Why it is increasing is not clear but it could be that criminals have turned to it as other forms of previously successful ransom malware, for instance CryptoLocker, have been destroyed (Damballa being among the firms that helped with the downing of its distribution platform, Gozeus, during Operation Tovar).

Damballa's analysis does at least suggest that the latter nasty remains caged for now.

"When it comes to mass infections, we can apply best practices from Operation Tovar as a blueprint for managing global cyber public health," commented Damballa CTO, Brian Foster.

"It underscores the need for continued, co-ordinated efforts across the security community. These lessons must continue to shape our activity; threat actors are well resourced, agile and quick to adapt. Our approach to response must match this."

Where all of this goes is hard to say. The first wave of police ransom scareware was eventually stopped by better detection of the command and control servers but years on this isn't effective enough. The second generation such as CryptoLocker took months of multi-vendor, multi-agency co-operation to dismantle, including the naming of the Russian alleged to have masterminded it.

But like a hydra, Kovter is an example of the way that ransomware has so far been able to reinvent itself no matter what is thrown at it

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityDamballa

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts