Types of ransomware targeting mobile devices

June 11, 2017

By Kim Komando

Awareness about ransomware is growing – just not as rapidly as ransomware is spreading. Not everyone is taking this threat as seriously as they should be.People might say, “That will never happen to me,” or not even realize ransomware is a threat. And a serious one at that.We’ve seen it. In fact, a coworker’s phone was recently infected by malware that locked his screen and displayed obscene pornography. The hackers claimed to be from the Cyber Police, and gave him 72 hours to pay the “fine” for his illegal activity, or else they’d report him to the Department of Homeland Security.Luckily, because he worked here, he knew better. He figured out a clever way to get around the freeze on his system without having to pay the hackers or purchase a new smartphone.Many aren’t so fortunate. When ransomware strikes, it takes over everything and leaves you with few options.In its first stages, ransomware was designed to infect a laptop or personal computer. Hackers hide the malicious code in a Word attachment or Trojan program that will run when the user clicks on it.Mobile devices have traditionally been safe from this type of malware, but not anymore. As demonstrated by the story we mentioned earlier, ransomware is now spreading to tablets and smartphones. And we expect it to keep growing.

Before we begin…

To understand how ransomware can infect mobile devices, we first need to explain that there are two primary types of ransomware out there: blockers and cryptoblockers.What’s the difference? Blockers merely block access to certain programs or functions. For example, it may block access to a web browser or operating system. Cryptoblockers, on the other hand, actually encrypt your data.When it comes to desktop computers and laptops, cryptoblockers are most commonly used. However, when it comes to mobile devices, blockers are the preferred choice of hackers. This is because blockers can easily be removed from a computer by removing the hard drive, plugging it into another computer, and then deleting the blocker’s files.Mobile devices are a different story. When your device is infected, you can’t remove its storage to wipe the blockers out.Now that we’ve explained the main types of ransomware, let’s dive into three types popping up on mobile devices.

1. Pletor

Pletor is believed to be the first strand of ransomware to target mobile users. It was first discovered a couple years ago and is a cryptoblocker that encrypts files stored on SD cards. Within a month of its discovery, Pletor had already been detected on more than 2,000 devices in 13 countries, primarily overseas.Since that time, around 30 modifications of Pletor have been discovered that use similar Trojan tactics. The general functionality of these versions doesn’t differ all that much.Once the Trojan is activated, it begins encrypting the contents of the memory on your smartphone or tablet. The Trojan for each version can vary between the following file types: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, .3gp, .mp4.In most cases, Pletor is disguised as a fake porn site and uses the media player to activate the code. Recently, it seems that the creators of Pletor have turned their attention elsewhere, and its expansion has nearly ceased.

2. Jaff

Ransomware called Jaff has been spreading at a super fast rate recently. It’s being delivered by the Necurs botnet through a malicious email campaign.People from all over the world started receiving these emails in May 2017. In just the first few hours of the Jaff ransomware campaign, over 13 million emails were discovered.The malicious emails contain one of the following subject lines:

The criminals have attached a PDF document to the email that contains an embedded DOCM file with a malicious Macro script. If the recipient runs this Macro, the ransomware is executed and files on the victim’s gadget are encrypted. Impacted files are renamed and end with .jaff.A ransom note will then appear on your gadget, it looks like this:

Image: Example of Jaff ransomware note (Source: Forcepoint)

The victim is instructed to install the Tor Browser and go to a link on the Dark Web. There, the victim will find instructions on how to pay the ransom to receive a private key that will allow them to decrypt the files.The criminals behind this attack are asking for a hefty ransom. The demand to decrypt the victim’s files is 1.79 Bitcoins, which is about $3,300. This is much larger than a normal ransom demand, so you definitely want to avoid it.Continue reading for ways to protect your gadget from ransomware.

3. Fusob

Another widespread version of mobile ransomware is known as Fusob.Fusob displays threatening messages on the user’s screens, trying to scare them. Just like the example we shared earlier, this strand of ransomware claims that criminal activity is the direct cause of the fine. They then prompt the user to pay the fee or basically go to jail.Of course, these claims are false. There is no such thing as the Cyber Police.Fusob also requests that the payment is made through atypical methods, such as iTunes gift cards or vouchers. Ransom rates range anywhere from $100 to $1,000 to receive the necessary key to unlock your device.

Protect your mobile device

With the ever-growing threat of ransomware, you need to take precautionary steps. Here are suggestions that will help:

Backing up your critical data is an important safety precaution in the fight against ransomware. It’s the best way to recover your files without paying a ransom.We recommend using our sponsor IDrive. You can backup all your PCs, Macs and mobile devices into ONE account for one low cost! Go to IDrive.com and use promo code Kim to receive a special discount.Click here to receive the special discount.

More tips you can’t miss:

5 smartphone spy apps that could be listening and watching you right nowWhy “ilovefreshsashimituna” is a great passwordHow to protect yourself from ransomware attacks

https://www.komando.com/tips/cybersecurity/types-of-ransomware-targeting-mobile-devices/