In Iran, it has been revealed that a virulent new piece of malware has been distributed in the country using a compromised VPN app, but the amount of money being asked for is modest compared some other recent high-profile ransomware incidents.
The VPN in question is called Psiphon VPN and is a free provider which, according to their website is based in Canada. But they offer translation and support services in Farsi, which explains why it has proved rather more popular in Iran than elsewhere in the world.
A Dumb hacker using the DUMB code
But now Maher, Iran’s Computer Emergency Response Team Coordination Center (CERTCC), has issued a warning about a modified version of the Psiphon VPN client app. They claim that the app is being used to spread a ransomware known as Tyrant.
Tyrant is believed to be a variant of the DUMB code, which cyber-security experts believe first emerged at the beginning of the year. Those unfortunate enough to be infected by Tyrant will have a message come up on their screen in Farsi. It will demand a payment of US$15 (£11) be made via one of two Iranian online payment services; exchanging.ir or webmoney724.ir.
The main reason for the low ransom amount seems to be that the ransomware itself isn’t actually that effective. According to the CERTCC alert, it not only doesn’t always manage to encrypt anything but also stops working once the device is restarted.
The author of the DUMB code, known online as Alphadelta said in response to this news that “The fact that people are actually unironically using DUMB as a base for their ransomware is, well, pretty DUMB. It’s not meant to be something workable into a legitimate ransomware”
Hackers targeting VPNs
So, for users who are targeted, unlocked any encrypted data is pretty straightforward. But more worrying than the actual effectiveness of the ransomware is the way VPN users have been targeted.
VPNs have a reasonably good public name as a result of relatively few security and privacy breaches that have impacted their users so far. The recent story of PureVPN handed over user data in the case of a cyber stalker was the first such incident in a while.
But this incident goes further because it indicates that hackers are looking to actively target VPN providers as a means of delivering malicious software onto users devices.
According to Marco Cova, a senior security researcher at Lastline, this should not come as a huge surprise. “it’s not surprising that users looking for security and privacy software are targeted; several years ago, we observed similar attacks in the form of malware pretending to be anti-virus tools.”
A number of VPN provider have been used to deliver either malware or malvertising content to their users over the years. However, it should be noted that the overwhelming majority of these have been Free VPNs providers. In just one example, we reported earlier this year on the case of free VPN Chrome extensions being hacked.
Avoid Free VPNs
In general, it is best to avoid free VPN providers, as we have explained elsewhere. They have to at least cover their costs somehow and this usually comes either from selling user data or cutting corners on encryption and other security settings.
The breach of the Psiphon VPN client app is just the latest identified example of this. If users want to be sure their online data is secure and private, their best bet is to sign up with a reputable VPN provider such as IPVanish or ExpressVPN, which offers security and privacy guarantees you can trust and which are far less likely to be hacked and send you ransomware.