New Ransomware Designed to Evade Machine-Learning Hits Konica Minolta Copier/MFP

Ransomware demand displayed on user’s PC monitor last month.

IT-security firm Comodo Threat Intelligence Lab has reported that, last month, hackers began ransomware attacks using a Konica Minolta copier/MFP, infecting users’ PCs, and encrypting their files, and then subsequently demanding a ransom of between 0.5 to one Bitcoin ($4,000 U.S.)) to un-encrypt them. The ransomware attack is said to have been able to evade machine-learning and algorithm-based security tools.

Comodo calls this latest variant of “Locky” ransomware “IKARUSdilapidated,” with the attack said to have originated from  hackers in Vietnam, Mexico, India, and Indonesia. Users in Southeast Asia, India, Europe ,and the Americas are said to have targeted, as well as users in Australia, New Zealand, and Indonesia.

Many of the attacks took the form of an email that’s said to mimic emails generated by the Konica Minolta C224e, which users often use to scan a document and then have the MFP email the scanned document to themselves. The email subject line contained the subject line “Message from KM_C224e” and contains a malicious attachment. Other emails are said to take the form of fake invoice statements, with subject lines reading “Status of invoice.”

Fatih Orhan, head of Comodo noted: “These types of attacks utilize both botnets of servers and individuals’ PCs, and new phishing techniques using social engineering for unsuspecting office workers and managers. This enables a very small team of hackers to infiltrate thousands of organizations and beat A.I. and machine learning-dependent endpoint protection tools, even those leading in Gartner’s recent Magic Quadrant.”

According to Comodo, this  new wave of ransomware attacks used a botnet of zombie computers (usually connected to network through well-known ISPs [Internet service providers]) to coordinate a phishing attack that sent the emails to victims’ email accounts.

Comodo stated that the emails includes the scanner/printer model number belonging to the Konica Minolta C224e, one of the most popular MFPs used in Europe, South America, North America, and Asia.

Comodo further states that two ransomware campaigns started on September 18, 2017 and appeared to have ended on September 21, 2017, but that similar attacks should be expected in the near future.

It also states that both September attacks have a “.ykcol” extension and the “.vbs” files are distributed via email, indicating that malware authors are “developing and changing methods to reach more users and bypass security approaches which use machine learning and pattern recognition.”

In the meantime, users should always be cautious opening any suspicious email message – and extremely cautious of opening or downloading any files contained in those emails.

More Resources