O Ransomware é a nova praga que está cada vez mais a afectar e a infectar os computadores pessoais. Esta forma de vírus consegue imobilizar e até inutilizar um computador de forma permanente até que seja pago o resgate esperado.
A mais recente queixa não tem nada de novo, mas inova pela forma como é instalado. Desta vez os atacantes estão a usar o TeamViewer para infectar os computadores.
Não é raro serem usadas aplicações bem conhecidas para espalhar vírus e malware. A confiança dos utilizadores nestas aplicações leva-os a aceitar tudo o que é pedido.
Uma nova versão do Ransomware Surprise está activa e a espalhar-se, usado para isso o instalador do TeamViewer. Os primeiros casos foram reportados no fórum da Bleeping Computer, um local onde estes casos são reportados e onde é procurada ajuda.
Em todas as situações reportadas, os utilizadores indicavam que viram os seus ficheiros serem bloqueados e adicionada a extensão .surprise.
Mas qual é a fonte desta infecção de Ransomware?
O cruzar da informação fornecida por todos os casos veio a revelar um ponto comum: a presença do TeamViewer revelou um cenário que ninguém esperava e levou à conclusão que a origem era mesmo esta aplicação.
O curioso é que esta era feita depois da instalação, em que era descarregado um ficheiro surprise.exe, que depois despoletava o processo de cifra dos ficheiros e a colocação no Ambiente de Trabalho do pedido de resgate.
No caso destas infecções o valor pedido estava nos 0.5 Bitcoin, cerca de 200 dólares, mas dependendo do conteúdo dos utilizadores, este valor poderia subir facilmente aos 25 Bitcoin, cerca de 10.000 dólares.
A resposta da TeamViewer
Depois da informação ser tornada pública, e que apontava o dedo directamente à TeamViewer, tentou-se perceber a forma como este instalador foi infectado. As provas de que a chegada do executável era feita no processo de instalação foram obtidas através dos registos e mostravam claramente o problema.
As declarações da Teamviewer descartam a responsabilidade deste problema e apontam para a possibilidade de terem sido usados instaladores obtidos de fontes não fidedignas.
Declaração do TeamViewer sobre este incidente
In the last couple of days, some reports surfaced which linked some ransomware infections with TeamViewer. We strongly condemn any criminal activity, however, we can emphasize two aspects:
- Up to now, none of the reported cases is based on a TeamViewer security breach
- (2) Some selected steps will help prevent potential abuse
Ad (1.): We looked thoroughly at the cases that were reported to us. According to our investigation, the underlying security issues cannot be attributed to TeamViewer. Thus far we have no evidence that would suggest any potential security breach of TeamViewer that attackers exploit. Furthermore, a man-in-the-middle attack can nearly be excluded because of TeamViewer’s deployed end-to-end encryption. Additionally, we have no reason to believe that a brute-force attack is the origin of the reported infections. TeamViewer exponentially increases the latency between connection attempts. It thus takes as many as 17 hours for 24 attempts. The latency is only reset after successfully entering the correct password. TeamViewer not only has a mechanism in place to protect its customers from attacks from one specific computer but also from multiple computers, known as botnet attacks, that are trying to access one particular TeamViewer-ID.
Apart from that, we would like to state, that none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.
Careless use is at the bottom of the cases we currently looked at. This particularly includes the use of the same password across multiple user accounts with various suppliers.
With many suppliers – such as TeamViewer – this does not turn out to be a problem, because appropriate security measures are in place to protect the user’s data. With other suppliers, however, user data is poorly or not at all protected. These suppliers are an easy target for hackers or data thieves who subsequently sell their loot via pertinent portals, or maybe just maliciously publish the user credentials online.
As TeamViewer is a widely spread software, many online criminals attempt to log on with the data of compromised accounts (which they obtained through the aforementioned sources), in order to find out whether there is a corresponding TeamViewer account with the same credentials. If this is the case, chances are they can access all assigned devices, in order to install malware or ransomware. Yet users can protect against this problem.
Ad (2.) TeamViewer denounces any criminal ploys, and encourages users to protect themselves by adequate counter measures:
- This starts with the download: TeamViewer advises users to only use official TeamViewer channels for the download.
- Additionally, users ought to protect any user account – whether it is with TeamViewer or any another supplier – by unique and secure passwords.
- Moreover, TeamViewer encourages users to protect their TeamViewer accounts by two factor authentication. See: http://www.teamviewer.com/en/help/402-How-do-I-activate-deactivate-two-factor-authentication-for-my-TeamViewer-account.aspx
- Finally, users should make sure that their device has not already been infected by viruses, spyware or any other type of malware that hackers may use to access secret or sensitive data.
The TeamViewer support team is happy to answer any potential technical issues or queries at support@teamviewer.com.
TeamViewer recommends that users who have been the victim of criminal activities get in touch with their local police departments, in order to report their case. This is particularly important because, TeamViewer is subject to very strict data protection and privacy regulations, and can release sensitive data only to authorized individuals and authorities.
É por isso importante que os utilizadores tenham cuidado com as fontes de onde obtêm as suas aplicações. Só desta forma se conseguem proteger.
Os casos de ransomware são difíceis de resolver sem o pagamento do resgate ou a formatação completa dos computadores. É por isso necessário ter cuidados especiais e estar sempre atento.