Shurlockr RansomwareJuly 26, 2021 | By Comodo
The ShurLOckr ransomware is a malware that is like other ransomware malware, but it targets cloud-based platforms as its distribution platform. This means that the ShurLOckr ransomware can spread to a wide range of people in the shortest amount of time.
ShurLOckr ransomware was discovered sometime in 2018 by Bitglass and Cylance. It’s a ransomware strain that was developed from the Godjue ransomware and is being offered as a Ransomware-as-a-service (RaaS) on the dark web. The ShurLOckr ransomware was discovered after it bypassed the security screening of Google Drive and Microsoft Office 365.
According to researchers, the ShurLOckr ransomware can bypass a cloud platform’s virus security scan and enter the cloud. Once ShurLOckr ransomware is in the cloud, it can be shared and distributed to any global user who has access to the cloud platform. Once opened, it can infect a company’s network even if they have strong security.
A Guide to Understanding the Shurlockr Ransomware and Endpoint Protection
When it comes to cybersecurity threats, data theft and Denial-of-Service (DoS) attacks are ranked on top of the list. These threats can do considerable damage to a company or organization and can take a long time to fix after an attack. But ransomware, especially the ShurLOckr ransomware, is much more dangerous.
Characteristics of Ransomware
Being hit by the ShurLOckr ransomware is a cause for alarm and should be dealt with immediately. This is especially true for companies that hold sensitive data in their databases that can be used for blackmail or fraud.
But to prepare for a ransomware threat, it’s important to know the characteristics of ransomware:
File encryption: The first characteristic of malware is its ability to encrypt files and data. Once the ransomware is released on a computer, it scans for files that can be encrypted. It usually hunts for pictures (.jpeg, .png, .tiff, etc.) documents (.docx, .xlsx, .rtf, etc), video (.mp4., .wmv, .avi, etc.), and other personal files.
Sometimes, the malware can take over the entire computer, locking users out of their computers until the decryption code is given to the ransomware. The ShurLOckr ransomware is known only to encrypt files and does not lock users out of their computer or device.
High-level encryption algorithm: Almost all ransomware has high-level encryption. This is to ensure that brute-force decryption cannot be done. This is true with the ShurLOckr ransomware as well.
Ransomware uses a sophisticated encryption algorithm that can be opened with the decryption key. Some ransomware uses a custom-built encryption algorithm, making it hard to break. While many variants of ransomware receive a unique encryption key from the hacker’s online server for every encryption. And the uniqueness of the encryption key makes it hard to crack through brute-force.
Some decryption tools online try to crack the strong encryption of ransomware, but many have limitations and the success rates are low.
Demand letter: Because ransomware is a malware that holds files hostage for ransom, it will always have a ransom letter asking for a large sum of money. As a strain of another ransomware, the ShurLOckr ransomware may also have this.
Most demand letters of ransomware have the same content, especially if they are variants from the same family of ransomware. They ask for a large sum of money, offers to decrypt one file as proof, and require victims to contact the hackers after within a couple of days. Failure to follow the instructions could lead to higher pay demands.
Bitcoin payment: Another trademark characteristic of ransomware is the demand for payment through Bitcoin instead of cash. Hackers prefer being paid in bitcoin or another cryptocurrency because it cannot be traced to a single location. There has been no reported amount for the ShurLockr ransomware so far.
Other than cryptocurrency being highly untraceable, ransomware hackers also prefer to use cryptocurrency because it does not leak any identification and is not regulated by any bank or government.
Other malware payloads: Though not all ransomware has this, the dangerous ones do. Ransomware on its own doesn’t harm your system or steal your data; it just encrypts it and asks for money. Fortunately, the ShurLOckr ransomware doesn’t have any reports of dangerous malware payloads.
But when it has another malware payload attached to it, this malware could end up breaking your system or stealing your data. Sometimes, hackers add a malware that tracks your keystrokes to try and steal your passwords.
Ransomware used in whale phishing attacks could have a malware payload that steals a specific kind of data which can be used for fraud and blackmail.
How Does Ransomware-as-a-Service (Raas) Work?
Because ransomware offers a huge potential for financial gain, many hackers and cybercriminals want to use this type of malware. Ransomware developers saw the market for ransomware and decided to offer it as a service, thus came the “Ransomware-as-a-Service” (RaaS). The ShurLOckr ransomware is offered as a RaaS.
The business model of Ransomware-as-a-Service depends on the malware developers. Some RaaS has a similar business model as Software-as-a-service (SaaS) where the malware developers offer hackers and clients a software kit to customize the malware’s features depending on their preferences. The developers maintain the ransomware and get a cut of the profit when someone pays for the data back.
Another business model is developers sell the kit for a price and leave the buyer to run the program themselves or customize it as they please.
Ransomware has become a profitable software not only for the developers but also for the users. More and more victims of ransomware are paying for the data back, even organizations and high-profile personalities are willing to pay for their data.
In 2013, the actors behind the Cryptolocker ransomware attack garnered an estimated 3 million dollars’ worth of ransom money.
RaaS has a growing market in the dark web. And in a few years, the market for ransomware-as-a-service would hit over a billion dollars.
Why Ransomware on Cloud Apps Can Be Dangerous?
Ransomware in and on itself is dangerous. But when it enters the cloud platform, it can cause damage at a much larger scale. The ShurLOckr ransomware made this threat possible.
Researchers that discovered the ShurLOckr ransomware said that the ransomware can only be detected by 7% of antivirus engines available in the market. And that the cybersecurity offered by cloud service providers are hardly enough to keep the ShurLOckr ransomware out of the cloud servers.
This characteristic of the ShurLOckr ransomware can be exploited in the development of future ransomware viruses and can be weaponized. If it managed to bypass the cloud’s security screening, nobody can say what any future malware will be able to do in the cloud.
In a future worst-case scenario, ransomware could activate in the cloud, infecting the server and encrypting all the data stored in the cloud server, including the company’s backup files.
Why You Need Endpoint Security?
With the dangers packed in ransomware, prevention is much better than a cure. That’s why cybersecurity experts advise companies to secure their networks with endpoint security tools and systems.
Endpoint security is perhaps the most efficient ransomware preventive measure available. Since ransomware must first be in your system before entering your cloud platform, there must be no vulnerable opening in your network that cybercriminals can use as an entry point.
Endpoint security is a cybersecurity measure that strengthens the security of your network’s endpoints. These endpoints could be your employee’s workstation PC, an employee accessible server, a company USB device, and even your employee’s smartphone connected to the company network.
With endpoint protection, each of these endpoint devices must have a certain level of security before they are granted access to the company network.
How Does Endpoint Security Work?
Endpoint security is a simple but efficient cybersecurity technique that prevents malware from entering your network. IT professionals use several software and tools to ensure that each endpoint is compliant with the cybersecurity requirements before they are given access to the network. With an endpoint security
In endpoint security, the device user or owner is responsible for keeping their device’s cybersecurity up-to-date. This reduces the pressure on IT professionals to ensure that each device is secure, which creates a vulnerability when IT officers fail to check one device.
Endpoint protection also gives IT officers the power to monitor activities in the endpoint devices and keep track of the files and documents stored in them.
With global partnerships and bring your own device (BYOD) policies being implemented by many companies today, traditional cybersecurity techniques (network perimeter, IDS, Firewalls, etc.) can no longer protect the company network from foreign devices. Endpoint security and endpoint protection don’t have this limitation.
Accessing the company network from an insecure device creates a vulnerability and accessway into the network. These accessways can easily bring the ShurLOckr ransomware to the doorstep of your cloud storage.
Tools for Endpoint Security
The ability of endpoint protection to prevent malware like the ShurLOckr ransomware from entering your company network lies in the cybersecurity tools used for endpoint security. Below are some tools packaged in an endpoint security service:
Spam and email protector: Many ransomware, including the ShurLOckr ransomware, enters a private network through spam or fake email. That’s why many endpoint security providers offer spam and email protector in their packages.
Many email providers also have spam blockers built into the system to prevent spam from entering your inbox. However, this is not enough as fake emails could still bypass spam and email protectors.
Antivirus software: So far, the best prevention against ransomware is to have updated antivirus software installed on your endpoint devices. Updated antivirus software can easily detect malware signatures and block them from infecting devices.; this includes some ransomware and many other malware types.
However, no antivirus software is perfect, and if an unfamiliar malware manages to infect your device, the antivirus software is often deactivated without your knowledge. Some next-generation malware also behaved differently from old malware, making it difficult for the antivirus to catch them.
Web-protection software: Another entry point for ransomware and other malware is through the web. Malicious links and web downloads could inject malware into your device without your antivirus software detecting it.
Once infected, the malware would automatically attack your antivirus and deactivate it so that it can’t block the malware from spreading. SQL injections are the most common type of web hacking technique.
Antispyware: When hackers are trying to target a specific organization or person, the first thing they do is reconnaissance. They try and learn about the target and see what vulnerabilities they can exploit to enter the private network. And they do this through spyware.
Spyware is a malware that transmits information and data back to its host to give cybercriminal a better picture of their target and their behaviors and responses on their devices. Antispyware prevents this regularly scanning, monitoring, and eliminating spyware from your devices.
Next-generation antivirus and firewall software: Unlike traditional antivirus software and firewalls, next-generation antiviruses and firewalls don’t just look at signatures but as well as events and tools, techniques, and processes (TTP) used by cyberattackers.
Next-generation anti-virus and firewall offer better protection against new kinds of malware and conducts some form of malware forensics to learn an unfamiliar malware’s behavior. These kinds of software use a sandbox environment to check suspicious files and processes to see if the file is a threat to the system or not.
VPN: Lastly, endpoint protection service providers offer VPN services to ensure that the connection of one endpoint to another node in the network is secure.
VPN creates a secure and encrypted connection between the endpoint and network node to prevent a third-party from spying on the connection and gain data on their target. VPNs also encrypt files in transit so that cyberattackers cannot read an intercepted file.
Conclusion: The ShurLOckr ransomware is just the beginning of a new kind of ransomware. As technology further develops and new systems become available to hackers, it will not be long before we see the characteristics of the ShurLOckr ransomware to bypass security scans weaponized on a much more dangerous malware.
With this threat looming on many businesses and organizations, they need to take preventive measures now with endpoint security and protection services and be prepared for any malware attack possible.