Security Market Segment LS
Thursday, 07 May 2020 10:07

New strain of Windows ransomware targets Taiwan organisations

New strain of Windows ransomware targets Taiwan organisations Image by Till Ahrens from Pixabay

Several organisations in Taiwan have been targeted by a new Windows ransomware family that has been named ColdLock by the Japanese security firm Trend Micro.

In a blog post, the company said large databases and email servers appeared to be the targets for encryption.

The attacks appeared to have started early this month. Analysis of the malware showed similarities with the LockerGoga, Freezing and EDA2 educational ransomware kit, with more similarities to the last named than the previous two.

Trend Micro said it was unaware of the vector used by ColdLock.

"However, we believe that the attackers somehow gained access to the target organisation’s Active Directory servers," the post said.

"From this point, they were able to set Group Policies that led to the ransomware file being downloaded and run onto machines within the affected domain."

There was no indication as to whether ColdLock first downloads a victim's files before encrypting them and issuing a ransom note.

The ColdLock payload arrives as a ,NET executable (as a .DLL file) and uses PowerShell reflective loading to run this file.

One notable feature was that the executable would run only if the time was at, or after, 12.10pm on the victim's system.

Given its targets, ColdLock shut down any database or email server processes (mariadb, msexchangels, mssql, mysql, oracleservice) before getting down to encryption.

"Ransomware continues to be a lingering threat, something we mentioned in our last Annual Security Roundup after seeing that the number of ransomware cases we detected climbed from 55 million in 2018 to 61 million in 2019," Trend Micro said.

"Cases like these are more dangerous, as threats that compromise enterprise systems allow for much easier propagation within enterprise networks."


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.


talentCRU FREE WEBINAR INVITE - Cybersecurity in COVID-19 times and beyond

With the mass transition to remote working, our businesses are becoming highly dependent on the Internet.

So, it’s no surprise that we’ve seen an increase in cyberattacks.

However, what’s more concerning is that just 51% of technology professionals are highly confident that their cybersecurity teams are able to detect and respond to these threats.

Join us for this free online roundtable where our experts discuss key cybersecurity issues IT leaders are facing during the pandemic, and the challenges that will likely emerge in the coming years.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments