Jump to content
nsane.forums

Search the Community

Showing results for tags 'ransomware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 14 results

  1. On Monday, Michigan Governor Rick Snyder signed two bills into law that criminalize the possession of ransomware “with the intent to introduce it into a computer or computer network without authorization” and punish offenders with a three-year prison sentence, respectively. On Monday, Michigan Governor Rick Snyder signed two bills into law that criminalize the possession of ransomware "with the intent to introduce it into a computer or computer network without authorization" and punish offenders with a three-year prison sentence, respectively. Legislators initially sought a ten years prison sentence, but this was knocked down to three years in subsequent deliberations. Two new laws correct a legislative loophole The two new laws —PAs 95 and 96 of 2018— are based on two bills —HB-5257 and HB-5258— introduced last year by Michigan House Representative Brandt Iden, of Oshtemo, and Representative James Lower, of Cedar Lake, respectively. Rep. Iden said he wanted to correct a legislative loophole that only punished cybercriminals for using the ransomware, but not possessing it. According to the new bill, if a suspected cybercriminal is arrested and ransomware is found on his computer, the suspect would end up in prison, even if he didn't get to infect any victims. This, in theory, should make it easier for state authorities to go after suspected ransomware developers, affiliates, and others involved in Ransomware-as-a-Service operations. Just like most crimes, investigators must prove "intent to use" before charging someone with ransomware possession, which is now a felony. Michigan legislators weren't absurd —unlike their Georgia fellows— and left room for security experts to possess ransomware for research purposes. 1,300+ ransomware incidents reported in Michigan last year According to FBI statistics, there were over 1,300 ransomware incidents reported in the state of Michigan last year, with damages estimated at around $2.6 million. "Cybercrime and tough measures to combat it is a rapidly evolving effort, and it’s integral our law enforcement agencies have the tools to identify, prevent and penalize it," Gov. Snyder said on Monday. Both bills passed with the same vote tallies, 103 to 3 in the House, and 34 to 0 in the Michigan Senate. Source
  2. In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago. It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry. Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit). Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour. However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely. We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop. Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading. Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will continue to run, attacking more systems instead of immediately killing itself. One solution to this would be to setup sinkhole DNS servers on the network that resolve all unknown DNS queries to a single server that logs all requests. This is trivially setup with most DNS servers. The logs will quickly identify problems on the network, as well as any hacker or virus activity. The side effect is that it would make this killswitch kill WannaCry. WannaCry isn't sufficient reason to setup sinkhole servers, of course, but it's something I've found generally useful in the past. Conclusion Something obviously happened to the Boeing plant, but the narrative is all wrong. Words like "targeted attack" imply things that likely didn't happen. Facts are so loose in cybersecurity that it may not have even been WannaCry. The real story is that the original WannaCry is still out there, still trying to spread. Simply put a computer on the raw Internet (without a firewall) and you'll get attacked. That, somehow, isn't news. Instead, what's news is whenever that continued infection hits somewhere famous, like Boeing, even though (as Boeing claims) it had no important effect. Source
  3. Qwerty Ransomware Utilizes GnuPG to Encrypt a Victims Files A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name. It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen. While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services. First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further. How the Qwerty Ransomware encrypts a computer The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG gpg.exe executable, the gnuwin32 shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program. Qwerty Ransomware Package The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially. Batch File When the batch file is executed, the keys will be imported as shown below. Importing Keys After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt. JavaScript File When find.exe is executed it will launch the following commands on the victim's computer. taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin Source It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file: gpg.exe --recipient qwerty -o "%s%s.%d.qwerty" --encrypt "%s%s" This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the .qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty. Encrypted Qwerty Files When encrypting files, it will encrypt any file that does not contain the following strings: Recycle temp Temp TEMP windows Windows WINDOWS Program Files PROGRAM FILES ProgramData gnupg .qwerty README_DECRYPT.txt .exe .dll After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it. shred -f -u -n 1 "%s%s" It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file. In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt which contains instructions to contact [email protected] to receive payment instructions. Qwerty Ransom Note Unfortunately, this ransomware is secure and there is no way to decrypt files for free as only the attacker has possession of the private decryption key. Due to the components used to encrypt the computer, the process is very slow, so it may be possible to spot the ransomware in action and shutdown the computer before it encrypts too many files. How to protect yourself from the Qwerty Ransomware In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. As Qwerty appears to be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network. It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer. Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all: Backup, Backup, Backup! Do not open attachments if you do not know who sent them. Do not open attachments until you confirm that the person actually sent you them, Scan attachments with tools like VirusTotal. Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated. Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs. Use hard passwords and never reuse the same password at multiple sites. For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article. IOCs Hashes: find.exe: 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502 gpg.exe:2b605abf796481bed850f35d007dad24 iconv.dll: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a6608f821becd646efb key.bat: 554c6198a015dc87e394c4fc74bf5040c48829d793e302632f9eec663733a09e libiconv2.dll: 3ec2d1a924ef6f19f2db45e48b9cf4b74a904af5720100e3da02182eee3bcf02 libintl3.dll: b92377f1ecb1288467e81abe286d1fd12946d017e74bd1ab5fb2f11e46955154 ownertrust.txt: d06ffa2b486cd0601409db821d38334d0958bf8978f677330908a4c3c87a2b48 qwerty-pub.key: dc1f6d197904a59894a9b9e66f0f6674766c49151a8ced2344dfaadaf54330b8 run.js: 6a6722b3b177426ec9ebb27898ef2340208c5644eb56eb5b064f2b2e34bf20bf shred.exe: 7eae0a885c7ef8a019b80d55a00e82af2e9a9465b052156490ff822ac68bc23a Associated Files: README_DECRYPT.txt Ransom Note Text: Your computer is encrypted . Mail [email protected] . Send your ID 5612. Note! You have only 72 hours for write on e-mail (see below) or all your files will be lost! Associated Emails: [email protected] Executed Commands: taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin
  4. 2016 was the year of ransomware – 146 new strains of this destructive malware were discovered, which earned cybercriminals an estimated worldwide profit of around one billion dollars in 2016. By contrast, in 2015 only 29 strains of ransomware were discovered. Until recently, Windows users were the primary target for ransomware attacks, but now hackers are also targeting Mac and Linux users too. More recently, smartphones or tablets with an Android or iOS operating system are also becoming targets. The reason for this is simple: the proportion of Apple and Linux-based computers is increasing, and who doesn’t have a smartphone these days?! Traditionally, you would have felt quite safe as a Mac or Linux user; Windows users have always been plagued with a high risk of catching viruses, worms or Trojans, whereas Apple or UNIX systems (including smartphones) have enjoyed a low threat level when it comes to malware. But has that now all changed? Mac is still more secure than Windows Mac users are currently still far less vulnerable than Windows users, as the spread of ransomware on the Mac so far requires a manual involvement of the user. However, it will certainly come to a point where attackers find a more efficient way of disseminating their malware, by which time macOS could be just as vulnerable as Windows. Although the malware ‘Patcher’ was recently discovered as an application for cracking popular software, the program is quite bumpy. In fact, the code for communicating with the host server to pay the ransom is often missed out, which means you are left high and dry with all your data encrypted and no hope of getting it back by paying the ransom (although in every case it is advisable not to pay the ransom anyway). A more dangerous strain is ‘KeRanger’, which attacked about 7,000 Macs in 2016, even hitting time-machine backups. A quick intervention by Apple prevented the spread from getting any worse, but when one malware program is successful you can bet that there will be more right behind it. It is therefore important that your backups should be stored on a storage medium that is not connected to the internet or the network. That way you can still access your data if something goes wrong with your main computer (this is good practice anyway, but it especially true when it comes to overcoming ransomware attacks). Cybercriminals are also interested in Linux machines Ransomware is currently not much of a problem for Linux systems. A pest discovered by security researchers is a Linux variant of the Windows malware ‘KillDisk’. However, this malware has been noted as being very specific; attacking high profile financial institutions and also critical infrastructure in Ukraine. Another problem here is that the decryption key that is generated by the program to unlock the data is not stored anywhere, which means that any encrypted data cannot be unlocked, whether the ransom is paid or not. Data can still sometimes be recovered by experts like Ontrack, however timescales, difficulty and success rates depend on the exact situation and strain of ransomware. The Linux pedant to KeRanger is called ‘Linux.Encoder’. This malicious program originally came from an open source ransomware project and is relatively easy to comprehend because of its half-baked programming. As a result, the chance of getting lost data back is high, for now. Again, the industry will need to deal with improved versions in the future, but at least for now the situation is still pretty relaxed. Smartphones are the top target Almost everyone today has a smartphone, and on it often resides a variety of private and business data, which is a prime target for hackers to hold hostage. However, the infection with the malware does not happen automatically; the user of the phone must actively participate and independently, for example, by installing a contaminated app on a device. However, in these cases not everything is still not lost – putting a smartphone into ‘safe mode’ can help to uninstall rogue apps, or some specialist software tools can remove it for you. As a last resort you can even reset the phone to factory settings, which will ‘delete’ all data stored on the device. Although the manufacturer of the smartphone operating system Android (Google) reacts quite well to known malware problems, it still may take some time for the device manufacturers to incorporate the updates into their own brand-specific operating systems and then deliver them to their customers. Apple vs. Android Apple users rejoice – iPhones are better off. Previous reports about surfaced ransomware were not completely correct, and in most cases they were just pseudo-ransomware attacks or simple error message spam. The reason for the much better performance compared to Android phones is on the one hand that Apple does not work with open source software and on the other hand that Apple reacts very quickly to possible problem areas and provides its customers with updates – without having to take the long route via external companies. However, even with Apple smartphones it is always possible that this could change in the future, leaving data at risk. Therefore, it is recommended (as with all computers and devices that stored data) to create frequent backups. If you’re lucky and have backed up properly then getting your data back might be as simple as wiping your device completely, initiating a fresh install and then restoring your data from the backups. If your backups did not work and your find your data being attacked and encrypted by ransomware, you should contact a data recovery service provider like Ontrack immediately. Remember not try out any DIY data recovery methods you might find on the Internet, as it can often make the situation worse. It’s much safer to shut down your affected device and contact a professional to understand exactly what your options are and the likely chances of a successful recovery being possible. Have you ever been hit by ransomware? What happened and were you able to get your data back? Source
  5. Data Keeper Ransomware Makes First Victims Two Days After Release on Dark Web RaaS Two days after crooks started advertising the Data Keeper Ransomware-as-a-Service (RaaS) on the Dark Web, ransomware strains generated on this portal have already been spotted in the wild, infecting the computers of real-world users. Spotted earlier this week by Bleeping Computer, Data Keeper is the third ransomware strain offered as a RaaS offering this year, after Saturn and GandCrab. Another RaaS opens its gates for everybody The service launched on February 12 but didn't actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected. Just like the Saturn RaaS, Data Keeper lets anyone sign up for the service and lets them generate weaponized binaries right away, without having to pay a fee to activate an account. Data Keeper maintainers are encouraging users to generate ransomware samples and distribute them to victims, with the promise of receiving a share of the ransom fee in case victims pay to decrypt their files. But while the Saturn crew made their commission known upfront (30% of the total ransom fee), the Data Keeper crew doesn't disclose the amount of Bitcoin they keep from affiliates. Sections are available in the Data Keeper RaaS backend that allow users to enter their Bitcoin wallet where to receive their "earnings," sections where they can generate the ransomware's encryptor binary, and a section from where they can download various files, including a sample decrypter. Data Keeper ransomware looks well-coded The ransomware generated via the Data Keeper RaaS is coded in .NET, and while .NET ransomware is usually considered the bottom of the barrel regarding ransomware quality, this one appears to be written by someone more adept than the usual mob of .NET malware noobs. "The in the wild [Data Keeper ransomware] sample we saw on Thursday consists of 4 layers," said MalwareHunter, a security researcher who helped Bleeping Computer analyze the ransomware for this article. "The first layer is an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. It then executes it with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters," MalwareHunter says. "That second EXE will load a DLL, which will load another DLL containing the actual ransomware that encrypts all the files. All layers have custom strings and resources protection," he says. "And then each layer is protected with ConfuserEx." This is an unusual complex level of protection when compared to the troves of .NET ransomware that's floated online in the past year. Furthermore, this is also one of the few ransomware strains that uses PsExec, a command-line-based remote administration tool. DataKeeper uses PsExec to execute the ransomware on other machines on victims' networks. Data Keeper ransomware doesn't use a special file extension Victims infected with versions of this ransomware will have their files encrypted with a dual AES and RSA-4096 algorithm. Data Keeper also enumerates and tries to encrypt all networks shares it can get access to. Data Keeper doesn't add a special extension at the end of encrypted files, meaning victims won't be able to tell what files are encrypted unless they try to open one. This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs. Further, the RaaS lets each affiliate select what file types to target, meaning different versions of Data Keeper will encrypt different files for each victim. The only visible sign that victims have been infected is the "!!! ##### === ReadMe === ##### !!!.htm" file that Data Keeper places in each folder it encrypts files. The ransom fee is also configurable in the RaaS, so this value also varies from victim to victim. Infected users are told to access a Dark Web URL for more information on the steps necessary to pay the ransom fee and receive a decrypter that will unlock their files. Based on the wording of the ransom note above, if Data Keeper infects a company's computers, the victim will have to pay to unlock each computer at a time. This means a simple infection can reach staggering costs for some companies that did not have backups but want to recover their files. Data Keeper ransomware versions spotted in the wild At the time of writing, there appear to be multiple threat actors that have signed up for the RaaS, obtained weaponized binaries, and are now distributing Data Keeper to users. MalwareHunter has told Bleeping Computer that one of the threat actors currently distributing a variant of the Data Keeper ransomware is hosting the malicious binaries on the server of a home automation system. Crooks have also updated this particular ransomware binary from day to day, meaning they are fine-tuning their attacks, and are serious about their intentions and not carrying out just a simple test run. Researchers who looked into Data Keeper's encryption scheme for weaknesses were not able to find any bugs or mistakes they could exploit to recover victims' files. If they find anything and create a free decrypter, we'll update this article with a link to its download location. IOCs: Encrypter: 912bfac6b434d0fff6cfe691cd8145aec0471aa73beaa957898cfabd06067567 Decrypter: 8616263bdbbfe7cd1d702f3179041eb75721b0d950c19c2e50e823845955910d Ransom note text: Source
  6. ShieldApps’ Ransomware Defender deals with known ransomware in a way no other solution can. Specially designed for detecting and blocking ransomware prior to any damage, Ransomware Defender blacklists and stops both common and unique ransomware. Once installed, Ransomware Defender stands guard 24/7 utilizing active protection algorithms enhanced with user-friendly alerts and notifications system. Ransomware Defender is fully automated, taking care of all threats via an advanced Scan > Detect > Lock Down mechanism that proactively stands guard to detected threats, and works alongside all main antiviruses and anti-malware products! Ransomware Defender also features a scheduled automatic scan, secured file eraser, lifetime updates and support! More Screehshots: Homepage: https://shieldapps.com/products/ransomware-defender/ or https://www.shieldapps.online/collections/ransomware-defender Download: https://s3.amazonaws.com/shield-products/RansomwareDefender/ShieldApps/RansomwareDefenderSetup.exe or https://s3.amazonaws.com/shield-products/RansomwareDefender/Reseller/RansomwareDefenderSetup.exe Manual/Guide: https://s3.amazonaws.com/partnertemporary/resellerresources/Ransomware+Defender+Operation+Manual.pdf 3.5.8 - 3.x Patch from URET TEAM - igorca: Site: https://yadi.sk Sharecode[?]: /d/CPeTqzwJ3HqiyP
  7. Trend Micro Ransom Buster v12.0.2.1125 File size: 123 MB Reinforce your protection against ransomware. Ransom Buster offers protection from all forms of ransomware and provides an additional layer of security for your computer to protect important files and precious memories. It does not matter whether you have already installed security software. Easy handling After you have selected a protected folder Ransom Buster automatically prevents unknown programs from accessing your protected files. Intelligent Common applications such as Microsoft Office, can automatically access your protected folders, whereby the occurrence of false alarms is minimized. Flexible Access to protected files can be granted easily trusted applications. Compatible Ransom Buster complements your current security software with an additional layer of security. Compact your PC will not slow down and does not require virus pattern updates. automatic updates Do not be more concerned about new threats. Ransom Buster is updated automatically, so your files stay safe - no matter what they are facing. System requirements: Ransom Buster supports Windows 7, Windows 8, Windows 8.1, Windows 10 and newer versions. Ransom Buster is already included in Trend Micro Security products (Antivirus+/Internet Security/Maximum Security) Release Notes Changes in v12.0.2.1125: some minor improvements. Get Ransom Buster for free for a limited time only. Homepage: https://www.ransombuster.trendmicro.com/ Videos: https://www.ransombuster.trendmicro.com/#video Download: https://ti-res.trendmicro.com/ti-res/FST/1202/1124/RansomBuster.exe
  8. After a year of headline-grabbing ransomware campaigns, it looks like hackers are launching the attacks less frequently. Ransomware is malicious software that can lock up your files until you send hackers a ransom payment. It featured in the WannaCry attacks in May and the NotPetya attacks in June, both of which swept through hospitals, banks and governments in several countries. But after July, the rates of ransomware infections dropped sharply, according to a report from Malwarebytes. If the trend continues, it would mean a reprieve from an attack that targeted institutions where time is money, like banks, or where lives could hang in the balance, like hospitals. So why would hackers ditch one of their favorite attacks? It turns out that computer users have a really valuable tool against ransomware: backing up their files. That's according to Chris Boyd, a malware analyst at Malwarebytes, who told ZDNet that publicity around the major ransomware attacks probably helped educate people about how to avoid needing to pay by uploading files to the cloud or a backup device. "This alone, even without additional security precautions, effectively deadens the otherwise considerable sting of the threat," Boyd told ZDNet, a CNET sister site. The company sells a product that detects and blocks malicious software for businesses and regular computer users. That's not to say hackers aren't hacking. They've simply turned to other kinds of attacks to steal money, such as banking trojans and adware, both of which are old-school hacking tricks. Hackers are also still innovating. Adam Kujawa, director of malware intelligence at Malwarebytes, said the biggest trend he observed in December was the rise of "crypto-jacking." That's when websites you visit secretly use your computer's processing power to run a program that creates bitcoins. That lets hackers make money off your computer. And, Kujawa said, "it wears down resources really fast," slowing down your computer's performance. But hey, at least you can still access your files. Source: https://www.cnet.com/news/wannacry-notpetya-ransomware-hackers-2017-less-popular-malwarebytes/
  9. Talos has been working in conjunction with Cisco IR Services on what we believe to be a new variant of the SamSam ransomware. This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature. Given SamSam's victimology, its impacts are not just felt within the business world, they are also impacting people, especially if we consider the Healthcare sector. Non-urgent surgeries can always be rescheduled but if we take as an example patients where the medical history and former medical treatment are crucial the impact may be more severe. Furthermore, many critical life savings medical devices are now highly computerized. Ransomware can impact the operation of these devices making it very difficult for medical personnel to diagnose and treat patients leading to potentially life threatening situations. Equipment that might be needed in time-sensitive operations may be made unavailable due to the computer used to operate the equipment being unavailable. The initial infection vector for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it. The history of SamSam indicates that attackers may follow their previous modus operandi of exploiting a host and then laterally moving within their target environment to plant and later run the SamSam ransomware. Previously, we observed the adversaries attacking vulnerable JBoss hosts during a previous wave of SamSam attacks in 2016. Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold. There are no differences between the encryption mechanism used by this current SamSam variant compared to older versions. However, this time the adversaries have added some string obfuscation and improved the anti-analysis techniques used to make detection and analysis marginally more difficult. This new variant is deployed using a loader which decrypts and executes an encrypted ransomware payload, this loader/payload model represents an improvement in the anti-forensic methods used by the malware. Samples containing this loader mechanism have been found as far back as October 2017. The wallet used by SamSam for this wave is shared by multiple infected victims as observed by monitoring the wallet at 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR. We are also able to confirm the first payment into this wallet was received on 25th December 2017 - a nice holiday gift for this adversary. This can be confirmed by observing the first wallet transaction found on the Bitcoin blockchain here. There is a possibility that other Bitcoin wallets are also used but currently Talos is currently unaware of any others. Similar to the previous variants, we believe the deployment of this SamSam variant to be highly manual, meaning an adversary must take manual action in order to execute the malware. The symmetric encryption keys are randomly generated for each file. The Tor onion service and the Bitcoin wallet address are hardcoded into the payload whilst the public key is stored in an external file with the extension .keyxml. Additionally, code analysis didn't find any kind of automated mechanism for contacting the Tor Service address which means that the victim identification with the associated RSA private key must be done either manually or by another adversary tool. Ransom note displayed by SamSam new variant In most ransomware the attackers try to convince affected users that they have the ability to decrypt the data after the payment is made. SamSam is no different here and even displays a disclaimer as seen in the above screenshot, stating 'we don't want to damage our reliability' and 'we are honest'. To this end SamSam adversaries offer free decryption of two files and an additional free key to decrypt one server. Once again SamSam actors show their ability to monitor and laterally move through the network by pointing out they will only provide a key if they believe the server is not an important piece of infrastructure. As with previous versions of SamSam they are advising that messaging the attackers can be performed via their site. The "Runner" The adversary has changed their deployment methodology and now they use a loader mechanism called "runner" to execute the payload. Upon execution, the loader will search for files with the extension .stubbin in its execution directory, this file contains the SamSam encrypted .NET Assembly payload. Upon reading the file, the loader decrypts the payload with the password supplied as the first argument and executes it, passing the remaining arguments. The loader is a very simple .NET assembly with no obfuscation. Comparing both the Initialization Vector (IV) and the code structure it seems like it may have been derived from an example posted on the Codeproject.com website. As you can seen in the images below, the IV used for the Rijndael encryption is the same in both implementations (posted code in hexadecimal, reversed code in decimal due to decompiler implementation). Posted code Reversed code At the code level looking specifically at the function 'Decrypt', it is obvious that the code structure in the Codeproject source and the latest SamSam runner sample is the same (comments from the posted code were removed). Encryption routine source code comparison The Payload Previous versions of SamSam put some effort into the obfuscation of the malware code by encrypting strings with AES. The new version also obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables, this time using DES encryption with a fixed hard-coded key and the IV. Once again, the adversary has put more effort into preventing the forensic recovery of the malware sample itself rather than only relying on the obfuscation the running malware code, which allowed us to reverse engineer this sample. As mentioned before, the password to decrypt the payload is passed as a parameter to the loader, which reduces the chances of obtaining the payload for analysis. Previous versions of SamSam had an equivalent method for making payload access difficult by launching a thread that would wait 1 second before deleting itself from the hard disk. The comparison of the main encryption routines between the old and the new samples indicates that this version of SamSam is similar enough to have high confidence that it belongs to the same malware family. Encryption Routine Comparison While previous SamSam versions used the API call DriveInfo.GetDrives() to obtain the list of available drives, this new version has the drive letters hardcoded. After checking that a drive is ready it starts a search for targeted files on the non-blacklisted folder paths. The new variant keeps the same list of targeted file extensions as some of the previous ones. It adds a few new entries to the list of paths not to encrypt, which includes user profiles "All Users", "default" and the boot directory. This is in tune with most ransomware which attempt to preserve the operability of the victim's machine. If the machine operation is so damaged that the system cannot be booted then the victim will be unable to pay, whereas if they keep the machine able to function, with limited access to files/folders, then they have a greater chance of a victim paying for recovering their important files and documents. Just like previous versions of SamSam the new version is especially careful to make sure that there is enough space on the current drive to create the encrypted document, thus avoiding any corruption that would lead to irrecoverable encryption. Unlike most ransomware, SamSam does not delete Volume Shadow Copies and creates an encrypted version of the original file which is then deleted using the regular Windows API. Although unlikely, due to block overwriting, recovery of the original files from the versions of affected folders saved by the operating system may be possible. Profitability In identifying the scope of this SamSam campaign, Talos analyzed the Bitcoin wallet addresses used by the attackers in each of these attacks. As of the time of this writing, the attackers have received approximately 30.4 BTC which equals $325,217.07. As previously mentioned, it is possible that the attackers are leveraging multiple bitcoin wallets, however Talos has not observed any other than the one listed here being used in these attacks. Recommendations As the specific initial threat vector is not known at this time, best practices should be implemented to minimize risk to organizations. Talos has outlined several best practices that should be considered in a previous blog related to defending against ransomware related threats. In accordance with best practices protocols like SMB or RDP should never be internet facing. Article
  10. A new form of ransomware attempts to trick victims into installing it with the lure of quickly profiting from cryptocurrency -- before encrypting their files and demanding Monero for the decryption key. 'SpriteCoin' is advertised on forums as a new cryptocurrency which is "sure to be profitable" for users -- when it is anything but. Those who fall for the scam -- which is likely to have been designed to take advantage of the publicity around bitcoin and the blockchain -- will find their Windows system infected with ransomware. To add insult to injury, if the user infected user pays the 0.3 Monero (around $100 at the time of writing) ransom, they're delivered additional malware with capabilities that certificate harvesting, image parsing, and the ability to activate the victim's webcam. Uncovered by researchers at Fortinet, SpriteCoin is advertised on forums and requires a degree of social engineering in order to successfully compromise targets. While many forms of ransomware are delivered through phishing emails, this form is delivered as a cryptocurrency wallet which the user is told contains SpriteCoin. It's one of the oldest cybercriminal tricks in the book: luring victims in with the prospect of a get quick rich scheme. Once the user runs the .exe file, they're asked to enter a wallet password, before being told that the file is downloading the blockchain. In reality, this isn't happening at all: the ransomware is running the encryption routine, adding a '.encrypted' suffix to any affected files. The user's Chrome and Firefox credential stores are raided during this process and sent to a remote website, likely putting passwords in the hands of the attackers. Once the process is complete, the victim is presented with a ransom note, demanding a 0.3 Monero payment in order to retrieve their files. The note contains links to information about what Monero is, how to purchase it, and how to pay, as well as a warning that if the program is deleted the files will remain decrypted forever. The ransom figure is low compared to many forms of ransomware, which now often demand payments of hundreds or thousands of dollars. It could be that the attackers ask for a relatively low ransom demand because SpriteCoin is a test for new ransomware delivery mechanisms. "In this instance, it seems like the intent was not just about money. What we infer is that the intent is not about the amount of money, but possibly about proof of concept or testing new delivery mechanisms, and to see how many people would fall for it," Tony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, told ZDNet. "This is very similar to when attackers would test to see how effective or fast a worm would spread before really launching it. This could be the same concept." Those behind the SpriteCoin ransomware attempt to offer the victim assurance that payment will result in the return of their files because "if we didn't, you could tell others not to pay", adding: "so trust us, will return your files". However, it seems unlikely that victims will actually get their documents back. If they do decide to pay up for the decryption key, what they actually receive is additional malware with the ability to activate webcams and parse certificates. "The note is really encouraging the victim to 'initiate payment of the ransom' in order to get the secondary malicious payload dropped," said Giandomenico. While researchers haven't been able to fully analyse this malware, it's unlikely that suffering from additional compromises can be anything but bad for the victim. SpriteCoin isn't the first form of ransomware to ask for payment in Monero. The popularity of bitcoin -- and the associated increase in transaction fees and delays receiving payments -- is causing problems for cybercriminals who use it to collect ransom demands. As a result, some ransomware distributors are shifting their business model away from bitcoin and to other cryptocurrencies like Monero. source
  11. Hancock Health fell victim to a cyber attack Thursday, with a hacker demanding Bitcoin to relinquish control of part of the hospital’s computer system. Employees knew something was wrong Thursday night, when the network began running more slowly than normal, senior vice president/chief strategy and innovation officer Rob Matt said. A short time later, a message flashed on a hospital computer screen, stating parts of the system would be held hostage until a ransom is paid. The hacker asked for Bitcoin — a virtual currency used to make anonymous transactions that is nearly impossible to trace. The hospital’s IT team opted to immediately shut down the network to isolate the problem. The attack affected Hancock Health’s entire health network, including its physician offices and wellness centers. Friday afternoon, Hancock Health CEO Steve Long confirmed the network was targeted by a ransomware attack from an unnamed hacker who “attempted to shut down (Hancock Health’s) operations.” Hospital leaders don’t believe any personal medical information has been compromised, Long said. Long declined to disclose details of the attack, including how much ransom has been requested. The attack amounts to a “digital padlock,” restricting personnel access to parts of the health network’s computer systems, he said. The attack was not the result of an employee opening a malware-infected email, a common tactic used to hack computer systems, he said. The attack was sophisticated, he said, adding FBI officials are familiar with this method of security breach. “This was not a 15-year-old kid sitting in his mother’s basement,” Long said. Protecting patients Notices posted Friday at entrances to Hancock Regional Hospital alerted visitors to a “system-wide outage” and asked any hospital employee or office using a HRH network to ensure all computers were turned off. Doctors and nurses have reverted to using pen and paper for now to keep patients’ medical charts updated. Long said he wasn’t aware of any appointments or procedures that were canceled directly related to the incident, adding Friday’s snowy weather contributed to many cancellations. Most patients likely didn’t notice there was a problem, nor did the attack significantly impact patient care, Long said. Hospital staff members worked with the FBI and a national IT security company overnight and throughout the day Friday to resolve the issue. Long said law enforcement has been acting in an “advisory capacity,” and declined to release details about the plan going forward, including whether the hospital is considering paying the ransom. Long commended his staff, especially IT workers, who quickly identified the problem Thursday evening. “If I was going through this with anybody, this is the team I would want to go through this with because I know what the outcome is going to be,” he said. Leaders updated hospital employees, totaling about 1,200 people, throughout the day Friday and took steps to be accommodate both patients and staff, including offering free food in the hospital cafeteria all day, Long said. Long said if there is any suggestion private patient information has been compromised, hospital officials will reach out to those affected, though he doesn’t expect that to become an issue. “We anticipate questions,” he said. “This is not a small deal.” A growing problem Ransomware attacks like the one at Hancock Health are growing more common, according to experts in the field of information technology and cybersecurity. Some 4,000 ransomware attacks have occurred everyday since 2016, according to a report by the federal Department of Justice — a 300 percent increase from the roughly 1,000 attacks per day in 2015. Hackers often use phishing techniques — posing as a legitimate company or source the user recognizes — to break into a person’s or company’s computer and take it over, said Von Welch, the director of Indiana University’s Center for Applied Cybersecurity Research in Bloomington. Rather than stealing private information stored on the computer and using or selling it, hackers who engage in ransomware turn the tables on their victims and refuse to give back control of the device unless someone pays up, Welch said. It’s “particularly nasty” when hospitals fall victim to a ransomware attack because it can completely cripple the medical facility’s ability to help people, Welch said. Depending on what’s been compromised, hospitals can’t check patients in or gain access to certain essential equipment, he said. Long said the hospital’s equipment continued to function normally Friday, though he’s troubled someone would target people in need of medical care, when many are at their most vulnerable. “That somebody would do this to a hospital really boggles the mind,” Long said. Hacker attacks in Indiana and elsewhere At least one other Indiana hospital and government unit have fallen victim to similar attacks in recent years. In November 2016, hackers in Anderson executed a similar cyber-attack on Madison County government servers. Criminals uploaded a computer virus to county officials’ network that restricted officials’ access to confidential files. The hackers then withheld the encryption code – which would allow county officials to retrieve the locked data – for a $200,000 ransom. Madison County’s insurance carrier recommended officials pay the demands, which they did, regaining access to their system. Six months earlier, hackers targeted a healthcare facility in Auburn, Indiana, where Dekalb Health’s administrative servers were infected with ransomware. The threat caused only a minor disruption; the ransom was never paid, and most servers were brought back online shortly after the malware attack, hospital officials said in a news release issued at the time. Hancock Health had policies in place for such an attack, knowing digital thieves are always on the lookout for a target, Long said. “Unfortunately,” he said, “we were probably next on the list.” Article
  12. Bitdefender 2018 Build 22.0.12.161 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/77459-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2018 Bitdefender Internet Security 2018 Bitdefender Antivirus Plus 2018 Platform: x86, x64 Version: 22.0.12.161 This version fixes the following issues: Fixed an issue with Active Threat Defense not activating Fixed an issue where the product would show "Last Update Never" Fixed an issue where the offline weekly updates would not detect Bitdefender 2018 Fixed an issue where Google would report SafePay is an outdated browser Fixed an issue where Custom Scans would not be saved after switching to Aggressive Fixed an issue where SafePay couldn't save bank statements(PDF) on hsbc.co.uk The following improvements were included: Wallet's compatibility with several websites Several Improvements to the in-product Support Tool Several interface improvements Various Install Engine optimizations Various SafePay optimizations and security improvements Several Firewall improvements Several Advanced Threat Defense improvements Improved compatibility with upcoming Windows release Several OneClick Optimizer improvements KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2018 22.0.12.161 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2018 22.0.12.161 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2018 22.0.12.161 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2018 Offline Installation Guide: Bitdefender 2018 AV Plus / Internet Security / Total Security - Standalone Installers [Windows]: 32bit [x86]: https://download.bitdefender.com/windows/desktop/connect/cl/2018/all/bitdefender_ts_22_32b.exe 64bit [x64]: https://download.bitdefender.com/windows/desktop/connect/cl/2018/all/bitdefender_ts_22_64b.exe Bitdefender Agent - 2018 - Universal [Same Agent for AV Plus / IS / TS]: Note: Bitdefender Agent installer supports both x86 & x64 architecture. Note: Bitdefender Agent installer is the same for Antivirus Plus / Internet Security / Total Security. Direct Download: https://flow.bitdefender.net/connect/2018/en_us/bitdefender_windows.exe Install Notes: Precaution Note: If you've already installed older version of Bitdefender[incl. 2017/2016 version], we are sure that you'll lose your settings. Please take note of configuration, settings. whitelisted files and links Download and Install Bitdefender Agent. When it starts downloading the install files, Stop/Close it immediately. Note: Check whether there the Agent is installed only once in "Add/Remove Programs" or "Programs & Features". Note: Check in "Program Files" for folder named "Bitdefender Agent". Now, start installing offline installer and proceed with installation. Note: Please choose respective download link based on architecture x86/x64 for smooth installation. Note: Don't worry about AV Plus/IS/TS. The installer automatically modifies the installation depending on the license you entered. Once installation is done, configure accordingly for best protection and to avoid files from getting deleted. Configure Whitelist files and links if you have any. It is better to keep note of the configured settings for future use. User Guide: Bitdefender Antivirus Plus 2018: https://download.bitdefender.com/resources/media/materials/2018/userguides/en_EN/bitdefender_av_2018_userguide_en.pdf Bitdefender Internet Security 2018: https://download.bitdefender.com/resources/media/materials/2018/userguides/en_EN/bitdefender_is_2018_userguide_en.pdf Bitdefender Total Security 2018: https://download.bitdefender.com/resources/media/materials/2018/userguides/en_EN/bitdefender_ts_2018_userguide_en.pdf Uninstall Tool: Uninstall Tool For Bitdefender 2018 Products: https://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2018_UninstallTool.exe NOTE: Bitdefender 2018 Uninstall Tool require KB2999226. If you didn't install, you'll get error "api-ms-win-crt-runtime-l1-1-0.dll" missing. You can download it here - KB2999226 Uninstall Tool For Bitdefender 2017 Products: https://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2017_UninstallTool.exe NOTE: Bitdefender 2017 Uninstall Tool require KB2999226. If you didn't install, you'll get error "api-ms-win-crt-runtime-l1-1-0.dll" missing. You can download it here - KB2999226 Uninstall Tool For Bitdefender 2016 Products: http://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2016_UninstallTool.exe Uninstall Tool For Bitdefender 2015 / 2014 / 2013 Products: http://www.bitdefender.com/files/KnowledgeBase/file/The_New_Bitdefender_UninstallTool.exe Uninstall Tool For Bitdefender 2012 Products and Earlier: http://www.bitdefender.com/files/KnowledgeBase/file/BitDefender_Uninstall_Tool.exe
  13. Bitdefender 2018 Build 22.0.13.169 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: N/A Update info shared by @boulawan A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2018 Bitdefender Internet Security 2018 Bitdefender Antivirus Plus 2018 Platform: x86, x64 Version: 22.0.13.169 KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2018 22.0.13.169 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2018 22.0.13.169 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2018 22.0.13.169 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2018 Offline Installation Guide:
  14. ShieldApps’ Ransomware Defender deals with known ransomware in a way no other solution can. Specially designed for detecting and blocking ransomware prior to any damage, Ransomware Defender blacklists and stops both common and unique ransomware. Once installed, Ransomware Defender stands guard 24/7 utilizing active protection algorithms enhanced with user-friendly alerts and notifications system. Ransomware Defender is fully automated, taking care of all threats via an advanced Scan > Detect > Lock Down mechanism that proactively stands guard to detected threats, and works alongside all main antiviruses and anti-malware products! Ransomware Defender also features a scheduled automatic scan, secured file eraser, lifetime updates and support! More Screehshots: Homepage: https://shieldapps.com/products/ransomware-defender/ Download: https://s3.amazonaws.com/shield-products/RansomwareDefender/ShieldApps/RansomwareDefenderSetup.exe 3.5.8 - 3.x Patch from URET TEAM - igorca: Site: https://yadi.sk Sharecode[?]: /d/CPeTqzwJ3HqiyP Installer + Patch: Site: https://www.multiup.eu/en Sharecode[?]: /download/3929b572efc906983914a46208db9223/Ransomware.Defender.3.6.6.zip
×