Palo Alto Networks Knowledgebase: Vulnerability Focus: Kovter Ransomware

Vulnerability Focus: Kovter Ransomware

Created On 07/18/19 19:27 PM - Last Updated 07/18/19 20:12 PM
Threat Intelligence Threat Prevention

Malware such as spyware and viruses have been around since the mid 90s, and although a big nuisance, many users hardly notice they've been infected or had their data leaked. In recent years, as cybercrime has evolved from hacktivism and script kiddies, the Internet has seen the emergence of a new threat: Ransomware.


The techniques used by ransomware remain mostly the same as with spyware: clickbait and fake emails using social engineering to trick users into opening a malicious attachment or following a link to an infected site. 


Rather than lying dormant, collecting information, or spreading infection in the background, ransomware encrypts the victim's hard drive and displays a ransom message demanding money in exchange for unlocking the user's drive. The encrypted drive also deters users from simply trying to remove the malware, as doing so leaves their files encrypted and unretrievable. 


The Kovter variant adds an additional layer of social engineering by making it look as if the system has been locked down by authorities (DoJ, FBI, and Homeland Security) because illegal content has been found on the computer.  Users are led to believe the content found on their computer violates federal laws about the exploitation of minors and suggests serious jail time if the case goes to court. Fortunately, the infraction is deemed unmotivated so victimized users can buy their way out of court by paying a fine.


The Kovter variant sets itself apart from other police ransomware by collecting data from the victim's web browser and actively looking for any site that may contain pornographic material. It then crafts this information into the police message to make it more believable. If no data is found Kovter, adds a random porn URL.


Palo Alto Networks has recorded many variant signatures for Kovter and can help protect your organization, but please make sure the endpoints are protected and users are aware they need to exercise caution.


For more information:


Read more about how Ransomware works at Palo Alto Networks Unit 42

Read more about Kovter and other threat signatures in the Palo Alto Networks Threat Vault

Have any files you don't trust? Go ahead and upload them to WildFire

  • Print
  • Copy Link

Choose Language