Threat Intelligence Brief – January 2017


Ransom Campaigns

With the hype surrounding ransomware, it’s easy to forget that this tactic is only part of a larger cyber attack category – ransom campaigns. While seemingly indistinguishable from ransomware, the overarching concept of holding data for ransom is a much larger problem than just the use of malware to encrypt a victim’s local data.

2016 saw an increase in the number of ransom campaigns, including several massive ransomware attacks. This edition of the threat intelligence briefing focuses on this trend in order to help you safeguard your critical data.


We are constantly monitoring external threat feeds as well as our own environment for these attacks. From this research, two recent ransom campaigns, the attack on MongoDB and the increasing threat of Doxware, should be addressed immediately.

MongoDB Attack

For years, there has been a push for users of the open-source MongoDB database program to proactively prevent public accessibility without requiring authentication. Unfortunately, an attacker has been targeting thousands of misconfigured MongoDB installations to gain access to user databases.
How it works:
After gaining access, threat actors exfiltrate the victim’s data and then wipe the database clean – replacing the data with ransom notes on how they can pay 0.2 Bitcoins to get their data back.
The damage so far:
At the time of publication, there were 2,000 noted instances of databases being held hostage. Users without data backups are forced to decide between paying out or losing their data. MongoDB addressed this issue but many site administrators still haven’t updated their installations or configurations.


Doxing , a tactic that first gained popularity in the 90’s, involves publicly shaming or blackmailing a target by threatening to release potentially embarrassing personal information. Doxware takes this a step further by combining this tactic with malware-based local encryption.
How it works:
While seemingly as simple as “give us money or your data goes public,” doxing is going through a resurgence, with new and even more devastating variants emerging. Some newer variants are also able to encrypt local data – minimizing any recourse for affected victims.
Even more nefarious is another recent variant, Popcorn Time, which offers victims the choice to infect two of their friends rather than paying their ransom.
The damage so far:
It’s difficult to quantify the number of affected users since, due to the sensitive nature of the affected data, most are unlikely to self-report. However, it’s safe to assume that so long as individuals and organizations store sensitive and potentially embarrassing information, and don’t secure it properly, this tactic will remain profitable – potentially even more profitable than ransomware.

Ransomware IPs

We have identified these IPs as command and control (C2), or malware hosts, which can be used to propagate ransomware attacks. Any history of outbound communication to these IP’s should be scrutinized and blocked to prevent installation. This isn’t a complete list and represents only a fraction of all the C2 nodes online at any given moment.

List of Ransomware IP Addresses


Ransom Campaign Counter Measures

Fortunately, the same prevention and mitigation tips apply to most ransom campaigns. Following these countermeasures will help minimize the risk of successful ransom attacks in your network environment.

  • Backup your data: Proper data backups are essential to safeguarding against ransomware – especially at regular intervals and with storage offline and offsite, if possible. Backup retention should be more than 45 days. While backing up your data won’t prevent an infection, it will enable you to recover quickly post infection.
  • Guard against phishing: Threat actors love to send tainted attachments in seemingly legitimate emails. User awareness training and anti-spam email settings are critical to protecting yourself from this threat.
  • Avoid macros: Don’t enable macros in Microsoft Office documents from unknown sources.
  • Update OS and software: Keeping your software and OS up to date can reduce the ability of cyber criminals to exploit unpatched vulnerabilities.
  • Use antivirus: Use an updated modern antivirus solution such as Trend, Kaspersky, Avira, Avast or Bitdefender.
  • Enable “Show File Extensions” option in Windows: This will make it easier to verify the file type you’re opening. Be wary of any .exe, .vbs, or .scr file extension as they are often used to deliver malicious payloads.
  • Trust no one: Compromised accounts are a great way to easily spread malware. Threat actors count on targets trusting their known email addresses. They don’t even need to compromise an account; email addresses are easily spoofed.
  • If infected, don’t panic: Try to determine the name of the ransomware as there are freely available tools to decrypt some of the older versions. No More Ransom! is a great source for available decryption tools.



No more ransom ! is a collaborative effort between the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and Intel Security aim to disrupt ransomware cybercrime as well as educate users about the threat and countermeasures that can be taken. In addition to countermeasures and education, they also offer decryption tools for several ransomware variants.

To help support the fight against ransomware, Armor has partnered with the No More Ransom (NMR) Project.

Learn More


Phishing remains the most effective means of accessing a target’s network and delivering malware. Since its inception, phishing campaigns have been resource intensive since managing hosts and covering tracks is time-consuming. In 2016, we saw the advent of phishing services for hire. These companies provide compromised websites and hosts from which to launch phishing campaigns. This dramatically lowers phishing campaign costs. We expect to see an increase in phishing services as well as new campaigns. Now more than ever, users need to be wary of clicking links or opening suspicious attachments.

Read More


A cyber criminal named Janus, a reference to the cybercriminal group in the 1995 James Bond movie Goldeneye, is targeting HR departments in Germany. Their tactic involves submitting bogus job applications infected with the Goldeneye ransomware. The attacker has even begun crafting realistic pdf cover sheets that carry the Goldeneye payload, a variant of the Petya ransomware. This might force the hand of many HR departments to swear off email applications and instead rely on other methods such as web forms.

Learn More