Netflix Scam Delivers Ransomware

by Marvelous Pelin (Threat Response Engineer)

Netflix has a 93 million-strong subscriber base in more than 190 countries, so it’s unsurprising that cybercriminals want a piece of the pie. Among their modus operandi: stealing user credentials that can be monetized in the undergroundexploiting vulnerabilities, and more recently infecting systems with Trojans capable of  pilfering the user’s financial and personal information.

What other purposes can stolen Netflix credential serve? Offer them up as bargaining chip to fellow cybercriminals, for instance. Or more nefariously, use them as lure to trick certain users into installing malware (and turn a profit in the process). If you’re planning to free ride your way into binge-watching your favorite shows on Netflix, think again. Your computer’s files may end up getting held hostage instead.

We came across a ransomware (detected by Trend Micro as RANSOM_ NETIX.A) luring Windows/PC users with a Netflix account via a login generator, one of the tools typically used in software and account membership piracy. These programs are usually found on suspicious websites sharing cracked applications and access to premium/paid web-based services.

Figure 1. Netflix ransomware’s ransom notes

Figure 1. The ransom note displayed as wallpaper in the affected system

Figure 2. Netflix ransomware’s ransom notes

Figure 2. One of the ransom notes with instructions to victims

Figure3-netflix

Figure 3. Fake Netflix Login Generator

Figure4-netflix

Figure 4. The prompt window after clicking “Generate Login”

Scamming the Scammer

The ransomware starts as an executable (Netflix Login Generator v1.1.exe) that drops another copy of itself (netprotocol.exe) and then executed afterwards. Clicking the “Generate Login” button leads to another prompt window that purportedly has the login information of a genuine Netflix account. RANSOM_NETIX.A uses these fake prompts/windows as distraction while it performs its encryption routine on 39 file types under the C:\Users directory:

.ai, .asp, .aspx, .avi, .bmp, .csv, .doc, .docx, .epub, .flp, .flv, .gif, .html, .itdb, .itl, .jpg, .m4a, .mdb, .mkv, .mp3, .mp4, .mpeg, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .py, .rar, .sql, .txt, .wma, .wmv, .xls, .xlsx, .xml, .zip

The ransomware employs AES-256 encryption algorithm and appends the encrypted files with the .se extension. The ransom notes demand $100 worth of Bitcoin (0.18 BTC) from its victims, which is relatively cheaper compared to other families. It connects to its command and control (C&C) servers to send and receive information (customizing the ID number, for instance) as well download the ransom notes, one of which is displayed as a wallpaper in the infected machine. Interestingly, the ransomware terminates itself if the system is not running Windows 7 or Windows 10.

Be Smarter

Malefactors are diversifying the personal accounts they target. Phished Netflix accounts, for instance, are an attractive commodity because one can be used simultaneously by different IP addresses. In turn, the victim doesn’t immediately notice the fraud—as long as it’s not topping the device limit. This highlights the significance for end users to keep their subscription accounts safe from crooks. Keep to your service provider’s security recommendations. More importantly, practice good security habits: beware of emails you receive pretending to be legitimate, regularly update your credentials, use two-factor authentication, and download only from official sources.

The scam is also a reminder of the risks involved in pirating content—may they be movies, music, software, or paid memberships. Does getting your important files encrypted worth the piracy? Netflix’s premium plan costs around $12 per month, and allows content to be streamed in four devices at the same time. Compare that with $100 you need to pay in order to get your files decrypted. Getting them back isn’t guaranteed either, as other ransomware families have shown.

Bad guys need only hack a modicum of weakness for which no patch is available—the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download or click ads promising the impossible. If the deal sounds too good to be true, it usually is.

Trend Micro Ransomware Solutions

PROTECTION FOR ENTERPRISES

  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

 

Related Hash:

6ddc37ded7ab01e17e9c274b930d775a513db760 (SHA-1) — detected as RANSOM_ NETIX.A

Additional insights/analysis by David Sancho, Sylvia Lascano, and Edmark Dungca

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Netflix Scam Delivers Ransomware

Read more: Netflix Scam Delivers Ransomware

Incoming search terms

Story added 30. January 2017, content source with full text you can find at link above.