Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'ransomware'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 227 results

  1. New blank slate campaign runs Cerber A new campaign pushing Cerber ransomware has been spotted into the wild, titled "Blank Slate." According to the folks over at the SANS Internet Storm Center, it was titled Blank Slate because, as you probably expect, the emails have no message text and there's nothing there to indicate what the attachments are. The subject line and attachment names are vague and consist of random numbers, which is how we all title most of our files. The file attachments getting sent in this campaign are double-zipped, which means there's a zip archive whithin another zip archive, which is where you'll find the JavaScript file or a Microsoft Word document infected with Cerber. For the JavaScript file you'll simply have to double-click it, while for the Word document, you'll have to enable macros. The Blank Slate campaign has been used before with other types of ransomware, but this time around Cerber has been the most prevalent one. Up goes the ransom Cerber is a ransomware that will encrypt documents, photos, databases and other important files on your computer. In order to get the decryption key, victims are usually told to pay a ransom of $500. An interesting part about this particular ransom is that the amount of Bitcoin requested by the attacker will always reflect $500, regardless of the Bitcoin quotation. Up until this week, that is, when the ransom suddenly hiked up to 1 Bitcoin. As always, you should pay extra attention to any email landing in your inbox. Do not click on any that you find suspicious. In this case, an email from a person you don't know, without any kind of text and a nameless attachment should trigger at least some warning bells. As Brad Duncan from the SANS Internet Storm Center notes, how successful can such campaigns be? Potential victims must open an attachment from a blank email, unzip twice, and doubleclick on a file, or, in the case of the Word attachment, enable macros, which Microsoft advises against. Source
  2. It seems some cybercriminals are channeling their inner Star Trek fanboy, as a new ransomware variant named after a character from the popular science fiction media franchise has recently been discovered. Detected by Avast malware researcher Jakub Kroustek, the "Kirk" ransomware is written in Python. While it is not currently known how it is distributed, the ransomware is noted to be masquerading as an application called Low Orbital Ion Cannon, a network stress testing application. Once executed, Kirk will generate an AES password which will be used to encrypt a victim's files. This will subsequently be encrypted by an embedded RSA-4096 encryption key. The fake LOIC prompt Next, a prompt will display stating "The LOIC is initializing for your system ... This may take some time." At this point, the Kirk ransomware is silently encrypting files. The malware reportedly affects 625 file types, including widely used ones like .mp3, .docx, .zip, .jpeg, and .wma, among many others. A ransom note will be dropped soon after this process is done. Typical ransomware would usually ask for Bitcoins or MoneyPak as payment in order to unlock the files. However, the Kirk ransomware asks victims to pay in Monero, another secure crypto-currency like Bitcoin. For the first two days, it will ask for 50 Monero, which is equal to roughly $1265. It will double every few days, and if no payment is made by the 31st day, the decryption key gets permanently deleted, according to the ransom note. Of course, with the ransomware being named after a Star Trek character, the cybercrooks went all the way and named the malware's decryptor "Spock." The criminals promise to send the software to the victim once the Monero payment has been made. As of the moment, there is no known way to decrypt files that have been affected by the Kirk ransomware for free. There are still no known cases of anyone being affected by this ransomware. However, it still pays to be careful of our activities on the internet, to be able to lessen the chances of contracting such malware in the future. Source
  3. Ransomware operators are hiding malware deeper in installer packages We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others. Cybercriminals have been known to hide malware in Nullsoft Scriptable Install System (NSIS) installer files. As antivirus software effectively detect these installer files, cybercriminals are once again updating their tools to penetrate computers. The new malicious NSIS installers visibly attempt to look as normal as possible by incorporating non-malicious components that usually appear in legitimate installers: More non-malicious plugins, in addition to the installation engine system.dll A .bmp file that serves as a background image for the installer interface, to mimic legitimate ones A non-malicious uninstaller component uninst.exe Please, if interested, read the rest of a rather technical article at the link (at the top).
  4. Ransomware for Dummies: Anyone Can Do It Among today’s fastest-growing cybercrime epidemics is “ransomware,” malicious software that encrypts your computer files, photos, music and documents and then demands payment in Bitcoin to recover access to the files. A big reason for the steep increase in ransomware attacks in recent years comes from the proliferation of point-and-click tools sold in the cybercrime underground that make it stupid simple for anyone to begin extorting others for money. Recently, I came across an extremely slick and professionally produced video advertisement promoting the features and usability of “Philadelphia,” a ransomware-as-a-service crimeware package that is sold for roughly $400 to would-be cybercriminals who dream of carving out their own ransomware empires. This stunning advertisement does a thorough job of showcasing Philadelphia’s many features, including the ability to generate PDF reports and charts of victims “to track your malware campaigns” as well as the ability to plot victims around the world using Google Maps. “Everything just works,” claim the proprietors of Philadelphia. “Get your lifetime copy. One payment. Free updates. No monthly fees.” One interesting feature of this ransomware package is the ability to grant what the program’s architects call “mercy.” This refers to the desperate and heartbreaking pleas that ransomware purveyors often hear from impecunious victims whose infections have jeopardized some priceless and irreplaceable data — such as photos of long lost loved ones. I’ll revisit the authors of this ransomware package in a future post. For now, just check out their ad. It’s fairly chilling. Source
  5. Bitdefender 2017 Build Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: Yet to be Updated KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 10 Mar 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 391676120 bytes MD5: a66d418e7b88e99e16a6e0e4d6b39344 SHA-1: 7c0fc6a890d533a2ca1280afe748458d5fc409f1 SHA-256: 2b7b052f3f94f6172176d53c2d1ec58ab5f82d0170bbb722ff407f34860d8c3a SHA-384: 79cc8deb7b4756bfe37e692bcc44a3721a0391dac0e51146ff201c6bfa1b23ed649d5a6fd7849b65a9f2c04b4ec2b517 SHA-512: 06acde22d638d1effeda481c4808839fcc629bef6db71ee6f9ae2da1370e89fc895e1b31f7251f07b3e09ee1e4ae320494fff82d3b221baaea1fd95664aa59a1 bitdefender_ts_21_64b.exe (application/octet-stream) - 433246512 bytes MD5: 9591493ba9892384737795c8740ef668 SHA-1: 2339248747187c83401865dfd4a8f70783044b23 SHA-256: e3fead4b4b98819ed1ad71de046b6bd91ca3677c2fc5229bf00911727cd20b3e SHA-384: f0cf9c8ea055f1402225be630b25fdf113a1ec556eb102999be0d46d2339cac7fb0fc15780efb2364258e14664a01066 SHA-512: 346e3b2b8d213df5cfd822dae2fc564bf8f40b6d2ac5f72fd9a43efcd7f97da93f65bbebafad55c559d4d6bdd88e012d466317842739e90006cff6a85008cecd Bitdefender 2017 Offline Installation Guide:
  6. Yesterday, Emsisoft's CTO and malware researcher Fabian Wosar released a decryptor for the CryptON Ransomware. This ransomware has been around since the end of February and has had a few variants released. It was named CryptON based on a string found within the executable. The current list of known extensions used by CryptON and that can be decrypted are: Please read the rest of the article here.
  7. A ransomware variant known as Samas RansomWorm is wreaking havoc on unsuspecting machines, gaining its name from its unusual propagation characteristics. Whereas traditional ransomware only encrypts the machine the attacker is controlling, RansomWorm spreads inside throughout the entire network to encrypt every server and computer—and the backups. According to research from Javelin Networks, it executes what it calls the “Worm Triangle.” “After gaining a foothold on a machine connected to the corporate domain, the attacker executes a three-part process: Steal domain credentials, identify targets via Active Directory (AD) reconnaissance, and move laterally,” the firm explained, in a blog. “This process is the ‘worm’, and it spreads itself throughout the entire network.” Generally, the attackers exploit front-facing servers for a known vulnerability, and once the machine is compromised, he or she steals domain admin credentials, making it possible to act as a legitimate user on the network. Because of the admin-level privileges, these domain credentials grant the attacker full access to any computer inside the domain, laying their files wide open for encryption via AD. “Think of it as a master key that can unlock any computer,” Javelin researchers said. “Samas infects one computer, and then self-propagates through the network, infecting each and every endpoint and server until the whole corporation is locked down…With a few built-in commands, the attacker encrypted the entire environment from the inside, evading traditional defenses while leaving no evidence behind.” This has dramatic consequences depending on the industry. In a retail environment, a complete POS lockdown will impact sales. Or in a hospital, patient data goes dark. It’s been a successful gambit: The group behind Samas was able to rack up $450,000 in just one year using this methodology, Javelin said, primarily targeting healthcare organizations. < Beware >
  8. "New Mac Ransomware Targets Illegal Crack Tool Software" Researchers have uncovered a new form of Mac ransomware, and this one’s a little hard to hate. While it’s never okay to write and spread malicious code, this one targets users who download illegal “crack” tool software. According to a report by TechRadar, “The ransomware payload is hidden in a program that goes by the name of Patcher, which is found on torrent sites and claims to be a crack (to get around needing a license key) for a couple of popular software offerings: Adobe Premiere Pro and Microsoft Office for Mac (and possibly others, as well).” Interestingly, this ransomware demands payment in Bitcoin to unlock your files, but there’s a problem: the researchers could find no source of connection back to the originator. They also found no payment history for this ransomware, meaning no one has taken the bait yet. In theory, that means that your files are locked and there’s actually no way to buy your way out of it. You’re just done. Of all the forms of cybercrime making waves right now, ransomware may be the one with the highest growth for the simple fact that it stands to net the originator the most immediate payout. Locking up your network – especially if the encryption key is readily available and is under a strict deadline to purchase – is a popular tactic, and often comes with a hefty yet manageable price tag. Attempting to sell stolen consumer records on the dark web after a data breach, on the other hand, requires more finesse and skill. There’s also a recent glut of stolen information available, which has driven down the asking price for even complete identities. Therefore, buyer (or non-buyer, in this case) beware: that free download that promises to get you something for nothing might just get you more than you bargained for.
  9. The “Patcher” malware downloads itself with fake Adobe Premiere Pro and Microsoft Office for Mac installer. Cybercriminals prefer crypto-ransomware as it not only successfully targets Windows desktop but also those devices that run on MacOS or Linux. Now, according to ESET researchers, there is a new ransomware malware called “Patcher” targeting Mac users. The new ransomware is written in Swift and is called Patcher; it is being distributed through BitTorrent distribution sites. The Torrent has just one ZIP file, which is actually an application pack with bundle identifier NULL.prova. ESET researchers identified two fake application Patchers one of which is for Adobe Premiere Pro and the other is for Mac system’s Microsoft Office. The app has been coded poorly and research suggests that the window contains transparent background that is certainly quite confusing as once it is closed it becomes too difficult to reopen it. < Image > When the victim clicks on the Start button, the encryption process begins and a file called README!.txt is copied everywhere around the directories of the system including Documents and Photos directories. The ransomware then creates a random 25-character string, which serves as a key for completing the file encryption process. This key is then applied to all the existing files. The files are then numbered with the fine command line tool. The purpose of the ZIP tool is to store the file in an encrypted library. Afterward, the real file is deleted with rm and the time of the encrypted file is modified to midnight, Feb 13th, 2010 using the touch command. Now the same process that was carried out for the directory is used for all the external and network storage folders present in /Volumes. After completion of file encryption, a code helps the attacker to null all the available free space on the root partition using diskutil. It is worth noting that the malware has a wrong path for diskutil i.e, for macOS it is /usr/sbin/diskutil while the malware tries to execute /usr/bin/diskutil. The victim receives the instruction from the README!.txt file, which is hard coded within the Filecoder. It actually represents the Bitcoin address and email address remains the same for every victim and both the samples utilize the same message and contact details. Please note that there hasn’t been any transaction related to the Bitcoin wallet, which hints at the fact that as of now the campaign designers haven’t been able to earn anything from this ransomware. The problem with this campaign, as per the researchers, is that the ransomware does not have any specific code with which it could communicate with the C&C server. Therefore, there is literally no way to decrypt the files since the encryption key was never sent to the attackers in the first place. Furthermore, the ZIP password is generated by arc4random_uniform, which is believed to be a secure random number generator. So, victims have no other choice but to pay the ransom to get the files back. So far, the attackers have targeted Chinese-speaking victims. What led to this conclusion is the fact that the ransom note is written in Mandarin and the instructions say that the attackers can be contacted through QQ instant messaging service for payment of ransom and unlocking of code. However, since the target computer is locked up, the victims have to contact the attackers from another machine/device. Ref: < https://www.hackread.com/crypto-ransomware-targets-mac-os-system/
  10. Jesus Vigo went hands-on with RansomFree to see if it could outmaneuver ransomware threats and keep data safe. Here's a look at what he discovered. Ransomware made a huge splash in 2016. There's no denying the motivation here: Money—as in virtually untraceable, digital cryptocurrency—has made this segment of the security realm nearly unstoppable. And if it continues to grow as projected, its reach will extend to more and more users, bringing in tens of millions of dollars for threat actors wishing to cash in on the epidemic. So what does this mean for your data if it's something that can't be stopped? Well, many of the best practices still apply. For instance, making sure you're up to date on system and application patches, rolling out modern antivirus with malware protection that is both updated and that actively runs in the background, and performing multiple scheduled backups are good computing habits. Of course, staying clear of questionable websites and not clicking on links or attachments sent to you via email, social media, or just about anywhere are excellent safety guidelines to practice too. But even with all that, you're still susceptible to data compromise. So what's next? Well, next might be RansomFree. This proactive ransomware detection application watches your computer for files being accessed and monitors their interaction closely to determine whether encryption is taking place. Using behavioral detection techniques, if RansomFree determines the behavior being displayed to be ransomware, it immediately halts the process and flags it, creating an alert onscreen. At that point, the user must authorize the process before it will proceed, according to RansomFree's developer. But should we just take their word for it? I didn't! I set out to test it first-hand to determine whether the application works as advertised. I purposely infected my Windows-based computer with a strain of ransomware to assess RansomFree's real-life capabilities... and the results documented are nothing less than impressive. First, a warning. DO NOT INFECT YOUR COMPUTER WITH RANSOMWARE! For the purposes of this test, I created a virtual machine (VM) sandbox environment with a clean copy of Windows and Office. This VM was isolated from other computers on the network, as well. Furthermore, no patches or updates were made to the VM nor was it running any type of malware protection whatsoever. Seeing how the ransomware operates Since I have experience cleaning up the devastation left behind by malware—but not with infecting a machine on purpose—I decided to run this test twice after taking a snapshot of the VM as a point-in-time prior to the introduction of malicious code. The first time through, I would do so without RansomFree to see how the ransomware would operate on the system. Once it was confirmed to have worked, I would rerun the test with RansomFree installed to gauge how effective it was against this strain of ransomware, since now I'd have a good idea of what to look for ... Please read the rest of article with images at: Ref: < http://www.techrepublic.com/article/i-infected-my-computer-with-ransomware-to-test-ransomfrees-protection-for-windows/ >
  11. In a rather worrying new report coming from Kaspersky Lab, it was revealed that in last year's fourth quarter, about a fifth of all spam emails carried ransomware with them. While this is reason enough for everyone to worry and triple check any incoming email, it's not exactly a surprise given the skyrocketing popularity of ransomware among hackers. According to Kaspersky's Spam and phishing in 2016 report, the volume of spam emails in 2016 rose to over 58% of overall email traffic, which is over 3% more than in 2015. As per usual, the US remained the biggest source of spam with 12% of it coming from computers across the 50 states. Second place is occupied by Vietnam, with 10.3%, while the third spot goes to India with 10.15%. When it comes to the countries that are most targeted by malicious emails, Germany takes the lead with little over 14%. The second spot goes to Japan with nearly 7.6% and China with 7.3%. As mentioned before, phishing attacks, in particular ransomware infections have grown quite a bit in the financial sector and across other businesses, places where attackers could make a little bit more money. Kaspersky notes that in 2016 the average proportion of phishing attacks against customers of financial institutions was over 47%, up from the 34% of the previous year. "In 2016, fraudulent spam exploited the theme of major sporting events: the European Football Championship, the Olympic Games in Brazil, as well as the upcoming World Cups in 2018 and 2022. Typically, spammers send out fake notifications of lottery wins linked to one of these events. The content of the fake messages wasn’t exactly very original: the lottery was supposedly held by an official organization and the recipient’s address was randomly selected from millions of other addresses. To get their prize, the recipient had to reply to the email and provide some personal information," the report reads, indicating just some of the techniques used by attackers. Another topic exploited in spam mailings was terrorism. Numerous Nigerian letters were sent to users on behalf of state organization employees and individuals, detailing various stories. The purpose was always the same, however, promising large sums of money to make them join the conversation. Most popular ransomware The most popular were mass spam mailings sent out to infect user computers with the Locky encryptor, but other ransomware such as Petya, Cryakl and Shade were also quite widespread. In total, in 2016, the anti-phishing system on computers running Kaspersky Lab was triggered nearly 240 million times, four times more frequently than the year before. This whole report is just a great reminder to never click on emails from people you don't know, and even when we receive emails from someone you do know to be wary of downloading any files unless you can confirm the sender is who they say they are and it's not a spoofed address instead. Ref: < http://news.softpedia.com/news/a-fifth-of-spam-emails-sent-in-2016-distributed-ransomware-513187.shtml >
  12. Cerber Ransomware Switches To .CERBER3 Extension For Encrypted Files A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files. When I tested this new sample, there was some minor outward differences between this version and the previous version. The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below. Encrypted Files Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url. The previous Cerber version had also sent UDP packets to the range of IP addresses. This version appears to be using the range for statistical purposes. As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article. Source
  13. Cyber criminals are now turning to ransomware more than ever Everyone knows Russian hackers are extremely busy people, but knowing that about 75% of all ransomware is made by Russian-speaking cyber criminals is still surprising. According to senior malware analyst at Kaspersky Lab, Anton Ivanov, out of the 62 crypto ransomware families discovered by the company's researchers in the past year, 47 of them were developed by Russian or Russian-speaking people. "This conclusion is based on our observation of underground forums, command and control infrastructure, and other artefacts which can be found on the web. It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries," Kaspersky's analysis reads. Kaspersky data shows that all ransomware families attacked more than 1.4 million people around the globe in 2016, which is a massive number of people who have either paid up to get their data back or said goodbye to their files altogether. And, keep in mind, 75% of those ransomware variants used for these attacks were made by Russian-speakers. Of course, there are ways to bypass ransomware, from free decryption tools for certain variants to initiatives such as No More Ransom which will offer free help to those seeking to get rid of the spies on their devices. The new old tool of cyber criminals - ransomware Analyzing the attack stats for 2016, Kaspersky further noticed that a regular user was attacked with encryption ransomware on average every 10 seconds, while organizations were hit about every 40 seconds. The frequency of attack has grown considerably over the past few years, and we're even noticing spikes throughout the year. Ransomware is by no means a new type of malware out into the wild; it's been around for over a decade. Hackers are now discovering, however, just how much more profitable it can be to use this type of attacks. Ref: < http://news.softpedia.com/news/three-quarters-of-all-ransomware-signed-by-russian-speakers-513050.shtml >
  14. The network security firm said ransomware was the payload of choice for malicious email campaigns and exploit kits in 2016, with Locky claiming the title as the most popular payload globally Ransomware attacks on businesses large and small reached 638 million last year, up from 2015's 3.8 million, network security firm SonicWall has reported. In its 2017 Annual Threat Report, SonicWall said the rise of ransomware in 2016 was unlike anything it had seen in recent years, noting that the 634.2 million instance increase was "meteoric" in nature. "By the end of the first quarter [of 2016], $209 million in ransom had been paid by companies, and by mid-2016, almost half of organisations reported being targeted by a ransomware attack in the prior 12 months," the report said. The ransomware growth was an upward climb throughout the year, SonicWall said, and expected the increase to continue into 2017. The first major spike in ransomware was experienced in March 2016, when attack attempts shot up from 282,000 to 30 million over the course of the month, for a first-quarter total of 30.9 million hits. The report shows the upward trend continued throughout the year, with the fourth quarter closing at 266.5 million ransomware attack attempts. SonicWall attributed the growth of ransomware to easier access in the underground market, which it said was supported by the low cost of conducting a ransomware attack, the ease of spreading it, and the low risk of being caught or punished. "The rise of ransomware-as-a-service (RaaS) made ransomware significantly easier to obtain and deploy," the report said. "Individuals who wanted to profit from ransomware didn't need to be expert coders, they simply needed to download and deploy a malware kit." Typically, RaaS providers offer their malware for free, while SonicWall explained that others charged a flat rate of typically $100. According to SonicWall, another factor driving ransomware was the mass adoption of bitcoin, noting that before the cryptocurrency existed, payments were able to be tracked. Industry verticals were targeted almost equally, SonicWall said, with the mechanical and industrial engineering industry reaping 15 percent of average ransomware hits, followed by a tie between pharmaceuticals and financial services at 13 percent, and real estate claiming 12 percent of the total ransomware hits. Geographically speaking, the report highlighted that companies in the United Kingdom were three times as likely as United States-based ones, despite the US experiencing the highest number of ransomware attacks in 2016. China was flagged as least likely to be targeted, with SonicWall attributing this to the country's restricted access to bitcoin and low usage of Tor. While SonicWall said many victims of ransomware chose not to publicise the attacks, it highlighted several breaches that received attention. The San Francisco Municipal Transit Authority had to open its fare gates in November when a ransomware attack took down its payment and email systems, demanding 100 bitcoins -- the equivalent of $73,000 at the time. Similarly, Hollywood Presbyterian Medical Center in Los Angeles admitted to paying $17,000 in bitcoin to regain access to its data in February 2016; the Lansing Board of Water & Light revealed it had paid ransomware attackers $25,000 in April; and in September, hosted desktop and cloud provider VESK handed over approximately $22,800 in bitcoins as a result of a ransomware attack. "Each of these organisations, and the countless others who were hit with ransomware, faced an urgent and terrifying decision: Whether or not to pay the ransom," the report said. "Those who opted to pay were sometimes able to negotiate a lower ransom to regain access to their systems." Despite paying a ransom, SonicWall explained that in some instances, paying the ransom did not guarantee access to data, as was the case with the Kansas Heart Hospital that was attacked in May 2016. According to the security firm, only 42 percent of victims were able to fully recover their data from a backup. The most popular payload for malicious email campaigns in 2016 was the Locky ransomware, SonicWall said, which was utilised in more than 500 million total attacks throughout the year, compared with second placed Petya, which was only used in 32 million attacks. Locky was most commonly delivered via email as a Microsoft Word document attachment under the guise of an invoice from a vendor requiring payment. When the attachment is opened, the end user would be instructed to enable macros, which would set off a chain reaction leading to the encryption of the user's files and the service of a ransom demand. Locky evolved to become the most notorious ransomware threat during 2016, security vendor Forcepoint also noted, and the second-most common malware threat by November. Although Locky experienced a lull over Christmas, security experts have said it shows no signs of slowing down, with instances of Locky once again on the up. SonicWall officially spun out of Dell Technologies as an independent company in November, with private equity firm Francisco Partners and hedge fund Elliott Management completing the $2 billion acquisition of the technology giant's software arm. By Asha McLean http://www.zdnet.com/article/sonicwall-reports-638-million-instances-of-ransomware-in-2016/
  15. Microsoft’s New Windows 10 Version Is Malware, Epic CEO Says Tim Sweeney can’t stop his rant against Windows 10 Cloud In a series of tweets, Sweeney calls Windows 10 Cloud “ransomware,” a form of malware that compromises computers by locking down files and asking for a ransom to restore access. “Windows Cloud is ransomware: It locks out Windows software you previously bought and makes you pay to unlock it by upgrading to Windows Pro,” he said in a tweet dated February 7. “Firefox blocked. Google Chrome blocked. Google search blocked as web browser search option. OpenGL, Vulcan, OpenVR, Oculus VR blocked,” he continued. “Microsoft is making a huge move against the whole PC ecosystem: @Adobe, @Autodesk, #Valve, @EA, @Activision, @Google, @Mozilla. All blocked. Windows Cloud will steal your Steam PC game library and ransom it back to you...for a price.” The Windows 10 Cloud story So is this thing true? Not at all, and it all starts with the purpose of Windows 10 Cloud, which by the way, is not yet confirmed and we don’t even know if everything we heard about it is true. First and foremost, Windows 10 Cloud appears to be a version of the Windows 10 operating system that exclusively focuses on Store apps, just like Windows RT did when it was launched in 2012 with the Surface RT. There is a good chance that Windows 10 Cloud would be offered to OEMs completely free to install it on their devices, and this contributes to lower prices when these models hits the shelves. Microsoft is expected to offer a built-in upgrade option that would allow Windows 10 Cloud users to switch to Windows 10 Pro, and thus get Win32 app support, should they pay for a license. This is pretty much what Sweeney is criticizing, claiming that once users pay for the upgrade, they get access to Win32 apps (this is also most likely the reason he calls Windows 10 Cloud “ransomware”). And yet, this is by no means ransomware, but only a way to bring cheaper devices to the market and boost adoption of UWP apps. The Epic CEO, however, is also criticizing Microsoft’s aggressive push for universal apps, claiming that the company is actually trying to destroy the Win32 ecosystem by forcing users to switch to Store apps entirely. Windows Cloud is ransomware: It locks out Windows software you previously bought and makes you pay to unlock it by upgrading to Windows Pro. — Tim Sweeney (@TimSweeneyEpic) February 7, 2017 Source
  16. Avast Releases Three New Decryption Tools to Fight Ransomware There are now 14 anti-ransomware tools available from Avast “In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples two-folded, but the good news is that hundreds of millions of Avast and AVG users were protected against this popular threat,” reads a blog post signed by Jakub Kroustek, reverse engineer and malware analyst at Avast. The three new decryption tools address three different ransomware strains – HiddenTear, Jigsaw and Stampado/Philadelphia. Some solutions for these particular strains are already available, coming from other security researchers. Avast decided, however, that it is always best to have multiple options. That’s because these three strains are particularly active and frequently encountered, especially in the past few months. Since the used encryption keys update often, so must the decryption tools. In the end, whether it’s Avast’s tools or those made by other security researchers that work against the ransomware, it’s all for the same purpose. “Last but not least, we were able to significantly speed-up the decryption time, more precisely the password brute-force process, so e.g. some of the HiddenTear variants will be decrypted within minutes instead of days. The best results are achieved when decrypting files directly from the infected machine,” Kroustek writes. Decrypting HiddenTear HiddenTear has been around for a while and the code is actually hosted on GitHub. Given the fact that it is so present, many hackers have gone and tweaked the code and starting using it. Encrypted files have a wide range of extensions: .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed. and more. After all the files are encrypted, a text file will appear on the user’s desktop. Decrypting Jigsaw Jigsaw was first spotted in the wild in March 2016, and many of its strains use the picture of the Jigsaw Killer from the same-name movie in the ransom screen. Files encrypted after the computer was infected with Jigsaw have Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush. Keeping up with the movie script, the malware will delete a file per hour if you don’t pay up. Decrypting Stampado This particular ransomware has been around since August 2016, and it’s being sold on the dark web. Multiple versions have been circulating on the Internet, one of them is called Philadelphia. Most often than not, Stampado adds the .locked extension to the encrypted files. Stampado will delete a new file every 6 hours unless you pay the ransom. Check out Avast’s list of anti-ransomware tools and see if you can find one to help you out. Source
  17. Cockrell Hill, Texas has a population of just over 4,000 souls and a police force that managed to lose eight years of evidence when a departmental server was compromised by ransomware. In a public statement, the department said the malware had been introduced to the department's systems through email. Specifically, it arrived "from a cloned email address imitating a department issued email address" and after taking root, requested 4 Bitcoin in ransom, worth about $3,600 today, or "nearly $4,000" as the department put it. It was at this point that the cops' backup procedures were tested and found to have failed to account for the mischief. When recovery was attempted, they realised they had only managed to back up the encrypted files. The cops then spoke to the FBI "and upon consultation with them it was determined there were no guarantees that the decryption file would actually be provided, therefore the decision was made to not go forward with the Bitcoin transfer and to simply isolate and wipe the virus from the servers". Guarantee or not, the criminals operating ransomware schemes often do indeed decrypt the hijacked files if victims pay up. This is simple economics: if the criminal has a reputation for receiving money without decrypting the files, then their victims will be discouraged from paying up, and this is all about the money. The ransomware is described as having "affected all Microsoft Office Suite documents, such as Word documents and Excel files. In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost." While the police state that the malware "was determined to be an 'OSIRIS' virus" no such virus actually exists. Instead, the police seem to have been confused by a new extension being used by the Locky ransomware, which renames the files it encrypts and gives them a .osiris extension. According to news channel WFAA, which broke the story, the department initially discovered the infection back in December, but had not gone public with the information. Instead, the news began to emerge "when the department began alerting defense attorneys that video evidence in some of their criminal cases no longer exists". Stephen Barlag, Cockrell Hill's police chief, said of the encrypted docs: "None of this was critical information." WFAA quoted J Collin Beggs, a criminal defence lawyer in Dallas, who said: "That depends on what side of the jail cell you're sitting," referencing a client of his, charged in a Cockrell Hill case involving some of the lost video evidence. Beggs bemoaned the loss of the video evidence, stating it was significant to his client and to others that the department has charged. "It makes it incredibly difficult if not impossible to confirm what's written in police reports if there's no video," Beggs said. "The playing field is already tilted in their favor enormously and this tilts it even more." Beggs said he has asked the FBI for proof that the computer virus incident happened. An FBI spokeswoman on Wednesday told News 8 that the bureau does not "confirm or deny the existence of an investigation." Chief Barlag contacted The Register shortly after the publication of this article to let us know: "We have been or will be able to recover most if not all of our digital evidence. I am not aware of any criminal cases that will be dropped as a result of this virus." ® Updated to add Stephen Barlag, chief of Cockrell Hill police, has been in touch to say: "We have been or will be able to recover most if not all of our digital evidence. I am not aware of any criminal cases that will be dropped as a result of this virus." Source
  18. Hotel guests at a luxury resort in Austria were locked out of their rooms after it was targeted with ransomware by hackers, who broke into the organisation's electronic key system and disabled the electronic locking. And the hotel is one of just dozens in the area that have been targeted in this way, according to its managing director. The latest attack coincided with the opening weekend of the winter season when the hotel was fully booked, and forced the Romantik Seehotel Jaegerwirt resort in Austria to pay up the ransom of €1,500 in bitcoin in order to allow guests to return to their rooms, as well as restoring access to parts of the hotel that were also locked as a result. Fortunately, a standard safety feature of the automated system meant that guests could leave their rooms, although they would've been unable to get back in while the systems were down. Managing Director Christoph Brandstaetter told The Local: "The house was totally booked with 180 guests, we had no other choice. Neither police nor insurance help you in this case." However, it was the third time that the hotel has been targeted in this way, prompting Brandstaetter to finally conduct a clean sweep of the organisation's IT - finding a backdoor that the attackers had used in order to return and demand more money. "The restoration of our system after the first attack in summer has cost us several thousand Euros. We did not get any money from the insurance so far because none of those to blame could be found," he continued. A fourth attempt, according to Brandstaetter, was foiled because of the IT security upgrades the organisation took following the third successful attack. And to make sure it never happens again, when the hotel undergoes its next refurbishment Brandstaetter is planning to change the locks - to "old-fashioned door locks with real keys". Source
  19. A ransomware family named Netix (RANSOM_NETIX.A) is targeting users who use special applications to access hacked Netflix accounts, locking their files and demanding a ransom payment of $100. First discovered by Karsten Hahn of G Data and analyzed by the Trend Micro team, this ransomware is spread via an application named "Netflix Login Generator v1.1.exe," which when executed appears to provide the user with a Netflix username and password. Netflix Login Generator v1.1.exe app (via Trend Micro) These username and password combos never work, as the ransomware authors are just buying time to let the ransomware contained within the app perform its encryption. According to researchers, the ransomware targets only 39 file types, which is less than most other ransomware families, and it only goes after the files located in the user's "C:\Users" folder alone, and not the entire hard drive. The following file types are targeted for encryption: .ai, .asp, .aspx, .avi, .bmp, .csv, .doc, .docx, .epub, .flp, .flv, .gif, .html, .itdb, .itl, .jpg, .m4a, .mdb, .mkv, .mp3, .mp4, .mpeg, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .py, .rar, .sql, .txt, .wma, .wmv, .xls, .xlsx, .xml, .zip Under the hood, when the user executes "Netflix Login Generator v1.1.exe," the file extracts and drops another file named "netprotocol.exe" on the user's machine, which it executes immediately. This file is the actual Netix ransomware, which starts encrypting files with the AES-256 encryption algorithm, but only if the user's computer is running Windows 7 and Windows 10. After the encryption process ends, the ransomware contacts an online server, where it sends the infection ID and other details, but from where it also downloads the ransom notes it displays on the user's machine. The ransom notes are in the form of an image displayed as the user's desktop wallpaper, and a text file dropped on his PC. Netix desktop wallpaper (via Trend Micro) Netix ransom note (via Trend Micro) The ransomware asks for $100 as payment in the Bitcoin digital currency and invites users to visit a website in order to pay the ransom and receive their decryption key. Users can recognize Netix infections because the ransomware appends the .se extension at the end of all locked files. Is it worth it? "Does getting your important files encrypted worth the piracy?" the Trend Micro team asks. The answer is obviously no. Compared to past years, Netflix is now available in over 190 countries, and a monthly subscription costs between $9 and $15, depending on your country. Paying the $100 ransom to recover files locked by this threat is not a guarantee that users will get access back to their files neither, as many ransomware families come with bugs that make a recovery impossible in some cases. Nowadays, crooks have understood that pirated apps are the easiest way to spread their payloads. You can be almost certain that any pirated app downloaded from torrent portals contains at least some sort of adware or infostealer, if not worse. Article source
  20. Yesterday, Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, wrote a blog article discussing how the EITest Chrome Font Update campaign is now distributing the Spora Ransomware. Previously, ProofPoint researcher Kafeine discovered this attack chain distributing the Fleercivet Ad Clicking Trojan, but with the popularity and successful revenue generation of ransomware, it is not surprising to see malware distributors testing this type of infection as well. As Spora diverges from most ransomware with the offering of a menu of different payment options, this could allow for a greater volume of payments compared to ransomware that only use a single large ransom option. As I am concerned that many people will be tricked by this attack and become infected with Spora, I wanted to provide a description as to how this attack works so people can recognize and avoid it. How the Chrome Font Pack Update Attack Works In order to protect yourself from the current EITest Chrome Font Update attack, it is necessary to understand how the attack works. In order to implement this attack chain, the EITest actors first hack legitimate web sites and add javascript code to the end of the page. This code will cause the page to look like gibberish and then display a popup alert stating that Chrome needs a "Chrome Font Pack" in order to see the page properly again. An example of how this code looks in the source can be seen below. Injected Javascript Source: malware-traffic-analysis.net When a visitor goes to this page, the script will scramble the text of the page so its not readable and then display a pop-up alert that states the page is not displaying properly because the "HoeflerText" font is missing. It then prompts you to click on the Update button in order to download the "Chrome Font Pack" as seen below. Fake Google Font Pack Prompt Source: malware-traffic-analysis.net When a user clicks on the Update button, the popup will automatically download a file called Update.exe and save it to the default download folder. The criminals will then show you a "helpful" screen that tells you how you can find and execute the program. Instructions on how to Execute the Update.Exe Program Source: malware-traffic-analysis.net The good news is this downloaded program is not automatically started and a victim must manually execute the program to become infected. The EITest gang are hoping that by pretending it is a Google Font for Chrome, they can trick people into actually running the file. Once a victim actually double-clicks and executes the file, the crap hits the fan and the computer becomes infected. In the previous Chrome Pack campaign, the Update.exe was called Chrome_Font.exe and would install the Ad Clicking Trojan called Fleercivet. In this round, EITest has changed the filename to Update.exe, which is actually the installer for the Spora Ransomware. Once this executable is launched, Spora will begin to encrypt a victim's data and most data files will become encrypted and unusable. When finished encrypting a victim's files, Spora will display a ransom note similar to this one, where a victim can login to the Spora payment site and determine the ransom amount or make payments. Spora Ransom Note Unfortunately, at this time there is no way to decrypt the files encrypted by Spora Ransomware for free. For those who need help with this infection or just want to discuss it, you can use the dedicated Spora Ransomware Support and Help Topic. What everyone should take away from this is that if you see a popup on a page stating that you need to download a Chrome Font Pack, you should immediately close the browser and not visit the site again. An alert like this is just an indication that something is not right with the site and it should be avoided. Sample of Update.exe: https://www.virustotal.com/en/file/d5a1c143b07475b367d2e12ff72fe5a3ec59c42fa11ae2d3eb2d4e76442e60b3/analysis/ Article source
  21. In this week’s Tales From Ransomware, we take a look at a ransomware that isn’t really ransomware. Nor even malware. But it can hijack your server anyway. A few days ago we saw a typical Remote Desktop Protocol (RDP) attack, which lead us to believe that it was a similar attack to the one we told you about a few months ago which cybercriminals are using to infect devices with ransomware. But we were very wrong. First of all because instead of encrypting data, it locks the desktop with a password that the victim doesn’t know. Secondly, it does not demand a ransom (!) in exchange for the credential, but rather seeks to keep the device locked for as long as possible so that it can be used for bitcoin mining for as long as possible. And thirdly, it doesn’t use malware as such. Once they’ve gained access to your machine by brute force (this particular server was fielding 900 attempts daily) the attacker copies a file called BySH01.zip. This in turn contains: BySH01.exe (executable through AutoIt) 7za.exe (goodware, the well-known free tool 7zip) tcping.exe (goodware, a tool for performing TCP pings) MW_C.7z (a compressed password-protected file), which contains: An application –goodware for bitcoin mining An application –goodware for blocking the Windows desktop The attacker runs the BySH01.exe file, and the following interface appears: Кошелек – Wallet; Имя воркера – User Name; Количество ядер – Number of cores; Пароль – Password; Локация – Location; Пусть установки – Installation path; Расширения системы – Processor Extension; Порт – Port; Добавить в автозагрузку – Add to startup; Установить – Install; Удалить – Delete; Тест – Test; Пинг – Ping; Локер – Locker With the help of our colleagues at Panda Russia, those of us who don’t know Russian can get an approximate idea of what its telling us with the above word list. Basically, the bitcoin mining application uses this interface to configure how many cores to use, what extension of processor instructions to use, what “wallet” to send the bitcoins to, etc. Once the desired configuration is selected, the attacker clicks on Установить to install and run the bitcoins mining application. The application is called CryptoNight, which was designed for mining bitcoins using CPUs. Then they click on Локер, which installs and runs the desktop lock application. It is the commercial application Desktop Lock Express 2, modified only so that the information shown in the properties of the file are the same as those of the system file svchost.exe. Finally it clears all the files used in the attack except CryptoNight and Desktop Lock Express 2. Desktop Lock Express 2, the application used by the attackers. We detected and blocked several attacks in different countries. Examples such as this one show how, once again, cybercriminals take advantage of weak passwords that can be guessed using the brute force method over a given period of time. Malware is no longer necessary to gain access to the system, so it’s up to you to use a robust password that will keep out unwanted visitors. Tips for the System Admin In addition to using a solution like Adaptive Defense, which detects and prevents this kind of attack, a couple of tidbits of advice for all administrators who have to have an open RDP: Configure it to use a non-standard port. What 99.99% of cybercriminals do is track all Internet on TCP and UDP ports 3389. They might bother to track others, but they do not have to, since most do not change these ports. Those who do change ports do so because they are careful about security, which probably means that their credentials are already complex enough to not be gotten by brute force within any reasonable amount of time. Monitor failed RDP connection attempts. Brute force attacks can easily be identified in this way, since they use automated systems and can be seen making a new attempt every few seconds. Article source
  22. Bitdefender 2017 Build Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/74787-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: This version fixes the following issues: Fixed a crash caused by the Update module Fixed a rare crash caused by SafePay Fixed a issue with the Firefox extension signatures Fixed a issue causing the Bitdefender window to shift to the right Fixed a issue causing the Wallet to prompt for the account on the same browser session Fixed a issue where the Agent failed to stop Fixed a issue where the Wallet would display empty lists when scrolling down the menu Fixed a rare crash causing vsserv to crash Fixed a crash caused by SafePay Fixed a crash caused by the Agent Fixed a issue causing the Agent not to deploy properly Fixed a issue where the Custom Scan would not start at the proper time Fixed a issue where the email archives would be purged from the Quarantine Fixed a rare issue causing the Uninstaller to crash Fixed a issue where the Security Report would show the improper period Fixed a issue where the product would revert the default language to English after a repair Fixed a issue where SafePay would not keep the zoom settings from the previous session Fixed a issue causing SafePay to be unable to open PDF files The following improvements were included: The product now complies with the Microsoft DSA requirements Several improvements to the install engine Improved repair process Several improvements to the On-Access engine Product interface fixes and improvements Improved SafePay's functionality Several improvements to the product's self-defense mechanism Improved the way the Support Tool gathers Bitdefender related information Improvements to the Firewall engine Improved Wallet's compatibility with several websites Added support for the polish language Some improvements to the event engine Improved the way the product handles remote tasks (example : system scan from Central) Improved the way the product integrates with the Windows start-up process Some improvements to the Update engine KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 19 Jan 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 386983608 bytes MD5: 0444b93b3942f8f08a3cace4915290b3 SHA-1: d868a81dd02632716216671da19b928bc20fe91c SHA-256: f9f6c543d7e31c3289f43e0e9f85e279c0825a3df66eb7639ba496ba49535189 SHA-384: d5e643be48251de5dd77bb52318b6e1028668161630e51b1d1695864b52c469b3af02ff04e05c4d7ae3c2c89e026b8aa SHA-512: b612ff33eb172ff7ce2978399fc706aa91fee712124ed7a91c17bf52c183a1aeda1901c2558945462271e44261b2e86187b27082fb5b35f4363f4ede78fb5474 bitdefender_ts_21_64b.exe (application/octet-stream) - 428227776 bytes MD5: d9640741f295a8f4830b193108a164f6 SHA-1: 81906a9ade33889f2ccb1c2c0b2e0939ff1fe9ef SHA-256: c225869fd8175ccd8dfa1c9226ed466ec3795c5049dfed5e99e2cfaa871e47f2 SHA-384: 0057846870499ceb5407a81a8ff883c1f46c18afcc911b277b8f68ef02c1dff3f1cba479e9a5b61fe2a033de6c273e02 SHA-512: b0211315a8418fa7115a354db61b50a73d522ef3b6404f7cfd6cf0e7651b987dd9656fe8db9d680ee31f93048f1f5bcd47dccb34f42cf174a9e8a62597b3bc25 Bitdefender 2017 Offline Installation Guide:
  23. Security researcher Michael Gillespie has developed a new Windows app to help victims of ransomware infections. Named CryptoSearch, this tool identifies files encrypted by several types of ransomware families and provides the user with the option to copy or move the files to a new location, in hopes that a decrypter that can recover the locked files will be released in the future. Gillespie developed the app as a recovery and cleaning utility for computers that have been infected by undecryptable ransomware strains. In these cases, it is impossible for PC owners to recover locked files, so the best course of action is to move all the encrypted data to a backup drive and wait until security researchers find a way to break the ransomware's encryption. Gathering all encrypted files is a different story. Ransomware works by encrypting file types, and not folders, so victims usually have encrypted files spread all over their PC, not in a few central locations. This is where CryptoSearch comes to help, by automating this search process, and the movement of these files to a new location. Once this operation finishes and PC owners have a backup of the encrypted data, they can clean up the computer by removing the ransomware's file, or optionally, wiping the hard drive and reinstalling the entire OS. CryptoSearch works together with ID Ransomware Under the hood, CryptoSearch works in tandem with the ID Ransomware service, meaning you have to be online when running the app. According to Gillespie, CryptoSearch will query the ID Ransomware service in order to retrieve data needed to identify the type of ransomware that has locked the user's PC. "This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their signatures," Gillespie wrote today on the Bleeping Computer forums, where he officially launched the app. "When CryptoSearch is first launched, it will contact the website, and pull down the latest information on known extensions and byte patterns," Gillespie added. "It will identify files by known filename pattern or extension, or for some variants, the hex pattern in the encrypted file." CryptoSearch uses this database to search the local file system, identify the ransomware infection, and then find all files locked by that ransomware. Once CryptoSearch has identified all files, the user is prompted via a menu and asked if he wants to move or copy the files, and then asked where to relocate the encrypted data. Gillespie says that CryptoSearch is smart in the way it transfers files, keeping the initial folder structure. For example, files found in "C:\Test\Folder" will be moved to "J:\Backup\C\Test\Folder" CryptoSearch is currently in a beta development stage, meaning more features will arrive in the future. One of the currently requested features is an "offline mode" that will include static copies of the ID Ransomware database so that CryptoSearch could be used on computers not connected to the Internet. Users asked for this feature because it's a standard practice in the case of ransomware infections to isolate computers by taking them offline. There's no timeline for this feature, so you'll have to keep an eye on Gillespie's Twitter feed or the CryptoSearch Bleeping Computer forum topic. CryptoSearch can be downloaded from here. Article source
  24. A new law that took effect in California on January 1, 2017 punishes conviction of distributing ransomware with a prison sentence of up to four years. In the past, ransomware cases were tried under existing extortion statutes. According to the bill's sponsor, California State Senator Bob Hertzberg, "This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware." Source
  25. A new kind of ransomware comes with its own "referrals" program, one that you probably wouldn't want to join. The malware called dubbed "Popcorn Time" locks your Windows computer's files with strong AES-256 encryption, until you a pay a ransom of one bitcoin (or $780 at the time of writing). "We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living," said the ransomware note. Source