Gojdue Variant Eludes Microsoft, Google Cloud Protection, Researchers Say

Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

Researchers have identified a new ransomware strain that went undetected by built-in malware protection used by cloud heavyweights Microsoft and Google as recently as January.

Researchers have identified a new ransomware strain that went undetected by built-in anti-malware protection used by cloud heavyweights Microsoft and Google as recently as January.

According to researchers at the cloud service firm Bitglass, both Google Drive and Microsoft Office 365’s SharePoint web service failed to identify a new strain of Gojdue ransomware called ShurL0ckr when tested last month. More troubling, when the malware was tested in the same timeframe against VirusTotal’s database of known vulnerabilities on Jan. 16, only seven percent of AV engines detected the malware.

Since its original testing, researchers now say 50 percent of AV engines detect ShurL0ckr, according to a rescan using VirusTotal on Wednesday. Researchers said it is unclear if cloud services such as Microsoft or Google have begun to identify and quarantine ShurL0ckr if infected files are stored on their respective cloud services.

“Neither Google Drive nor Microsoft SharePoint were able to detect the ShurL0ckr ransomware with their built-in threat engines,” wrote researchers in a blog posted Wednesday.

“The problem is, (ShurL0ckr)-infected files get past client defenses, are uploaded to the cloud and then downloaded or shared on other PCs,” said  Salim Hafid, product marketing manager at Bitglass. “Google and Microsoft advertise cloud anti-virus and anti-malware scanning, but when they can’t detect ransomware, that’s a problem.”

A Microsoft spokesperson told Threatpost it was “investigating claims of a new variant and will provide the necessary protections based on (its) findings.” Microsoft added, its free security software can detect and removes the Gojdue ransomware family.​

Google declined to comment for this story.

“Whether or not Microsoft’s client-side AV does detect ShurL0ckr or not is not the problem. Microsoft and Google make their cloud services available to all devices, many of which don’t run Microsoft’s AV software,” Hafid said.

Researchers said the ransomware is similar to Satan ransomware, first identified in January 2017, and is marketed on the dark web as a ransomware-as-a-service (RaaS) offering.

Satan RaaS allows criminals to register for an account and allows them to customize the software. Users of Satan must fork over 30 percent of what they earn to RaaS developers, but can earn more based on profitability. In the case of ShurL0ckr, developers are only taking a 10 percent cut, according to Mike Schuricht, VP product management at Bitglass.

The ransomware targets PCs running the 64-bit version of Microsoft’s Windows operating system. Files are encrypted with the .cypher extension. Developers behind ShurL0ckr allow RaaS customers to demand between .01 and 1 bitcoin, or $80 to $8,000 in today’s market.

Bitglass said it stumbled on the malware as part of a larger cloud study that found 44 percent of businesses had some form of malware in at least one of their cloud applications.

Bitglass researchers said ShurL0ckr has close ties to Gojdue ransomware, also known as “Ransom:Win32/Gojdue.A” and “RANSOM_GOSHIFR.A.” In the case of Gojdue, the ransomware is typically delivered via spam, phishing and exploiting browser vulnerabilities.

Suggested articles