Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'ransomware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 259 results

  1. A security researcher with the nickname “Racco42‏” found a new campaign that was pushing a new Locky variant that spread through spam emails that contain subject lines similar to E [date](random_num).docx. For example, E 2017-08-10 (698).docx. The message body contains “Files attached. Thanks”. According to Racco42‏: “#locky is back with “E 2017-08-09 (xxx).doc” campaign https://pastebin.com/Qbr66946″ ” Email sample: ————————————————————————————————————– From: Jeanne@[REDACTED] To: [REDACTED] Subject: E 2017-08-09 (87).xls Date: Mon, 24 Jul 2017 07:51:08 +0000 Attachment: “E 2017-08-09 (87).zip” -> “E 2017-08-09 (443).vbs” ————————————————————————————————————– – sender address is faked to look to be from same domain as recepient – subject is “E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>” – email body is empty – attached file “E 2017-08-09 (<2-3 digits>).zip” contains file “E 2017-08-09 (<2-3 digits>).vbs” a VBScript downloader “ These emails have a compressed file attached (zip) that use the same subject name, the attached file holds a VBS downloader script. The script contains one or more URLs that will be used to download the Locky ransomware executable to the Windows %Temp% folder and then execute it. Once it executed, it will encrypt all files. The new Locky ransomware will then modify the file name and then add the “.diablo6.”, after that, it will remove the downloaded file (exe) and then display a ransom note to the victim that presents information on how to pay the ransom. Sadly, it is not possible to recover the original files unless you pay a ransom of 0.49 Bitcoin (about $1,600 USD). < Here >
  2. If you want to know what some ransomware developers think about the USA, you can get a good idea from the ransom note of the Sanctions Ransomware that was released in March. Dubbed Sanctions Ransomware due to the image in the ransom note, the developer makes it fairly obvious how they feel about the USA and their attempts to sanction Russia. Sanctions Ransom Note I was tipped off about this new ransomware after someone was infected and had their files encrypted with the .wallet extension. This extension is typically associated with the Crysis/Dharma ransomware, but according to Michael Gillespie, the creator of ID-Ransomware, the files encrypted by Sanctions do not contain the standard Dharma/Crysis file markers as shown below. Crysis/Dharma File Marker While I have not been able to find a sample of the actual ransomware, I was able to find a copy of the ransom note on ID-Ransomware. This ransom note is called RESTORE_ALL_DATA.html and contains a link to a satoshibox page where the ransomware developer is selling the decryption key for 6 bitcoins. This equates to about $6,500 USD at bitcoin's current rate. Satoshibox Decryption Key Purchase As this is a very large ransom payment and due to the fact that this ransomware is not in wide circulation, it leads me to believe that this ransomware developer may be conducting targeted attacks. Unfortunately, this is all the information we have at this time. At some point we will find a sample and be able to provide more information as we further analyze this ransomware. Source
  3. When WannaCry hit, the news sent shivers down the world. Reports of hospital outages and super secret tools used by the NSA (Equation Group) that could hack into any version of Windows was released to the public. During this period of time, the community warned of more waves were soon to come. This started around June 26, 2017 primarily in Ukraine and Binary Defense started to see some of the first large infections of Petya (or some calling it NotPetya) happening at other geographic locations early this morning. On the surface, this appeared to be another EternalBlue/MS17-010 campaign being used on the surface and a new variant. No-one at the time knew exactly how the infection methods were being used, but multiple companies jumped the gun and reports claimed multiple avenues including HTA attack vectors, email campaigns with attached word and excel documents. The motives of the malware authors are unknown – the interesting part is the geographic/demographics of who this specific attack was designed for (Ukraine). Additionally, the software was designed well – unlike WannaCry which was rudimentary in nature but had a terrible backend infrastructure to make payments for the ransom. While we can’t determine where this specific attack came from, the motives of targeting Ukrainians, the development, and how it was deployed would indicate possible nation state motivations and not ransomware. Regardless, it had a large impact in a short period of time and caused substantial damage to organizations impacted by this. So What Really Happened? A third party software called M.E. Doc (MeDoc) which, is an accounting software primarily used in the Ukraine was compromised. With any of these early warning signs, there is a lot of information and data to cut through before actually coming to a factual conclusion. Other vectors such as documents, excel, and obfuscated HTA’s seem to be confused reports on another campaign called the Loki Bot. Based on the analysis, if any organization had MeDoc installed, they would be impacted as soon as it was updated. MeDoc is a required software out of Ukraine – so there was a large footprint here from Ukraine-based companies and orgnaizations that do business in Ukraine. There is substantial evidence supporting this as the main method and has been confirmed by multiple organizations including Binary Defense. Initial reports look as if a hosting server upd.me-doc.com.ua (owned by me-doc) pushed an update which was 333KB in size. Once the file was updated, this is when much of the magic started to happen. Why Everyone Freaked Unlike WannaCry, Petya used multiple techniques in order to compromise hosts in a very fast timeframe. The first technique was using the EternalBlue (MS17-010) exploit. While this was occurring, other scenarios happened on the system: 1. An older version of psexec v1.98 is dropped onto the system under C:\Windows\dllhost.dat. Why the version is important is that in version 2.1 of psexec, encryption was introduced for credential authentication. If monitoring command line arguments in v1.98, you can see the clear-text passwords for authentication in this specific variant (good indicator of actual accounts that were used and the passwords compromised). 2. A technique used by Mimikatz and other tools leveraging lsadump to dump passwords from memory is used in order to extract clear-text passwords from memory. These are parsed, and then used by WMIC and PSEXEC. We can clearly see clear-text passwords being used when executing the WMIC and PSEXEC command line. 3. PSEXEC and WMIC are used in order to attempt to spread across the network using the extracted credentials. For both PSEXEC and WMIC methods to work, the ADMIN$ hidden share needs to be exposed and successful authentication in order to connect to the remote system. Below is a screenshot of the service creation starting for psexec: 4. A file is placed under C:\Windows\perfc.dat which contains the bulk of the code to perform post exploitation scenarios including encryption and additional lateral movement using WMIC and PSEXEC. Once perfc.dat written to disk, perfc.dat is called by rundll32.exe and used to import into memory and begin its attacks. Once successful, a scheduled task is run: schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:\Windows\system32\shutdown.exe /r /f” /ST XX:XX” Below is the image once your system is forced to reboot: The system would restart in about an hour. During this period of time specific file types are encrypted. Below is a screenshot of HoneyDocs being overwritten on the filesystem: For the rundll32, you can clearly see the import and execution of code: Note that the clear-text passwords of username/pw are presented due to the legacy version of psexec. Since the time of the ransomware, the email address (wowsmith123456 [at] posteo.net) that was used to contact for the recovery key was suspended and recovering the files is not possible (at this time). This means do not pay the ransom. The ability to extract clear-text passwords from memory, and move laterally using psexec and WMI on top of using EternalBlue make this specific ransomware attack particularly damaging. We have seen upwards to 5,000 endpoints compromised in less than 15 minutes. These techniques are often used by attackers on a regular basis, but the automation components and destructiveness puts this variant into a whole different ballgame. Again, these are all techniques leveraged by more targeted attacks and known for years. The tactics and automation used in these cases and the “wormable” component of EternalBlue make this specific Ransomware extremely damaging for organizations and the reason for the panic. How to Protect First, one of the main samples and hashes can be found at VirusTotal. SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 Second, through our analysis, Binary Defense discovered that by either placing the file C:\Windows\perfc.dat or by denying filewrites to C:\Windows\perfc.dat – this effectively killed the effectiveness of the ransomware and stopped the replication/spreading of the worm: This can be accomplished through group policy by creating a file in the directory. If the perfc.dat file is in place, the malicious software does not overwrite and effectively fixes the issue. Image screenshot credit @TonikJDK and @0daydorpher This attack solely relied off of a user having administrative level rights on the system that was impacted and from there moving across the network with those credentials. Account/password re-use needs to be addressed and having limited user rights on systems would have reduced the impact and effectiveness of this attack. What this Attack Tells Us What this attack tells us is that automation around lateral movement and targeted attacks is a problem. Password reuse continues to be the number one method for attacks to move laterally to different systems. Users that have Internet access and have local administrative rights is a complete pandemic in a number of organizations. This needs to change. What we can take away from these specific attacks is that we need to focus on best practices. Everything that has been touted in the security industry as a way to enhance the overall security program would have worked in this scenario. 1. Proper patch management – stopped the EternalBlue method 2. No Administrative level rights – stopped the propagation and clear-text extraction of hashes. The file dropping of perfc.dat is only a temporary solution. More proactive measures to eliminate the threat need to be investigated. If proven true, the MeDoc will be slightly contained to Ukrainian companies or organizations that do business in the Ukraine. This could have been much. MUCH worse. Special thanks to a number of folks that helped with up-to-date information during the process: @HackingDave (Binary Defense CTO), @0xAmit, and @HackerFantastic Misc. Indicators and Information WMI call: process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1 Targeted Extensions (@GasGeverij): .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip. Source
  4. I received the following in an email from a security researcher who owns his own company and is nationally known but probably wouldn't like having his company or name associated with nsane. So I will not include that information. But the information in the email is accurate and has been verified by multiple security professionals. Email: NotPetya is a destructive disk wiper similar to Shamoon which has been targeting Saudi Arabia in the recent past. Note that Shamoon actually deleted files, NotPetya goes about it slightly different, it does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same. Someone is hijacking known ransomware families and using them to attack Ukrainian computer systems. Guess who. You never had a chance to recover your files. There are several technical indicators that NotPetya was only made to look as ransomware as a smoke screen: 1.It never bothers to generate a valid infection ID 2.The Master File Table gets overwritten and is not recoverable 3.The author of the original Petya also made it clear NotPetya was not his work This has actually happened earlier. Foreshadowing the NotPetya attack, the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker. Catalin Cimpanu, the Security News Editor for Bleepingcomputer stated: "The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware."
  5. Don't touch that email! London uni fears 0-day used to cram network with ransomware Antivirus didn't pick up software nasty, say UCL IT peeps University College London is tonight tackling a serious ransom outbreak that has scrambled academics' files. It is feared the software nasty is exploiting a zero-day vulnerability, or is a previously unseen strain of malware as antivirus defenses did not spot it in time. Eggheads at the UK uni are urged to not open any more email attachments, which may be booby-trapped with the ransomware. The UCL Information Services Division (ISD) said it had locked down access to the shared and networked drives that have been under siege from the malware since it began infecting users around mid-day Wednesday via an email message. "Currently it appears the initial attack was through a phishing email, although this needs to be confirmed," the ISD said. "It appears the phishing email was opened by some users around lunchtime today. The malware payload then encrypted files on local drives and network shared drives. The virus checkers did not show any suspicious activity and so this could be a zero day attack." Both the shared (S) and network (N) storage drive services have been suspended as the university works to stop the outbreak. Service is expected to be restored in read-only mode later this evening, UK-time. The ISD said drives that have already been encrypted by the malware will be restored to their most recent backup once the infection is resolved. In the meantime, the university is warning all students and staff not to open any attachments or click links in emails, and to be wary of suspicious messages from contacts. "It is vital we all maintain a high level of vigilance when opening unexpected emails. If the email is unexpected or in any way suspicious, then you must not open any attachment or follow any link in the email," the ISD said. "Doing so may lead to loss of your data and very substantial disruption to the university." UCL said it will provide an update on the situation tomorrow. ® < Here >
  6. 1: Patch management for clients and servers Keeping current with Windows Updates ensures that your clients and servers will be patched against any known threats. Vulnerabilities that exist in the form of zero-days will not be covered since that is not possible—and yet the WannaCry infection managed to infect more than 150 countries at such an alarming rate, despite a patch having been readily available almost two months prior to the attack. With patch management playing such a crucial role in on-going system protection, there is no end to the tools available to organizations —small, medium, or large—to help ensure that their systems are current. First-party tools available from Microsoft, such as Windows Server Update Services, which is included as a service of Windows Server or Systems Center Configuration Manager (SCCM), can manage patches, from deployment to remediation with included reporting on the status of all managed devices for first- and third-party applications. 2: Security software and hardware appliance updates As stated previously, each organization will have differing needs and resources available to best manage the network and its data. While some commonalities exist, such as firewalls and intrusion prevention systems (IPSes), these devices provide filtering of traffic at the ingress/egress of the network. Alongside firmware updates and signatures, these devices also offer manual configuration to better suit your network's protection requirements. Active monitoring of the health of these devices, along with updating configurations as necessary to match the network's needs, will result in enhancing the network's security posture and help enable the security appliance to stave off attacks. While these devices may not necessarily be Windows-based devices, I included them here because of the real-world benefit they provide in helping to mitigate unauthorized network intrusions and to fend off attacks. 3: Hardening device security Hardening clients and servers is imperative to limit the attack surface from internal or external attacks. The process of hardening a Windows client will differ from a Windows server, in that the aim for their use can vary drastically. By assessing what the devices will be used for, you can determine how the device should be locked down from a security standpoint. Keep in mind that any applications, services, and connected devices that are not needed or that are deprecated (such as the SMBv1 protocol that allowed the WannaCry exploit to proliferate) should be considered a potential attack vector that may be exploited and should be disabled immediately. Microsoft offers the Microsoft Baseline Security Analyzer (MBSA) for clients and servers alike to perform vulnerability assessments for devices and the services that run atop them. It also makes recommendations on how to harden them for the utmost security without compromising services. For newer OSes, such as Windows 10 and Windows Server 2012/2016, MBSA will still work, though it may be used in conjunction with the Windows Server Manager app to identify compliance with best practices, troubleshoot configuration errors, and identify operating baselines used to detect variations in performance, which may be an indicator of a compromised system. 4: Data backup management Let's face it, a computer is only as reliable as the data it works with. If said data has become compromised, corrupt, or otherwise lost its integrity—say through encryption by ransomware—it will cease to be useful or reliable. One of the best protections against ransomware in general is a good backup system. As a matter of fact, several backup systems are better still. Since data can be backed up to several different media at once, an incremental backup to a local drive that you can transport with you, alongside a constant backup to cloud storage with versioning support, and a third backup to a network server with encryption provides ample redundancy so that if your local drive becomes compromised, you still have three possible data sets to recover from. The Backup And Restore Utility native to Windows clients and servers provides a lightweight solution for backing up local data across multiple storage types. Meanwhile, OneDrive offers excellent cloud backup capability. Third-party software to centrally manage data backups across an organization or to/from the cloud is available from several providers as well. 5: Encryption for data at rest and in motion Encrypting data on the whole will not prevent your computer from ransomware infections, nor will it prevent a virus from encrypting the already encrypted data should the device become infected. Be that as it may, some apps use a form of containerization to sandbox data that is encrypted, rendering it completely unreadable by any process outside the container application's API. This is extremely useful for data at rest since it prevents outside access unless it's through the designated application. But it does nothing for data in motion or data that is being transferred over the network. In cases where transmission is required, the de facto standard is virtual private networking (VPN), since it creates an encrypted tunnel by which to send/receive data to/from, ensuring data is protected at all times. 6: Secured network infrastructure configurations Unfortunately, the network is often set up and configured during the installation period of new hardware and then it's left to operate unchecked until something fails. Networking equipment, including routers, switches, and wireless access points, require updated firmware and proper configuration, along with proactive monitoring to address trouble points before they become full-blown issues. As part of the configuration process, an optimized network will be set up for Virtual LANs (VLANs) or segment traffic and should be managed to ensure that data gets where it needs to go in the most efficient manner possible. Another security benefit of VLANs is the ability to logically quarantine malicious traffic or infected hosts so that they can't spread the infection to other devices or parts of the network. This enables administrators to deal with compromised hosts without risk of spreading the infection or to simply shut down the specific VLAN altogether to effectively cut off the device(s) from the internet until remediation has occurred. 7: Network, security, acceptable use, and data recovery policies Policies are often used by larger organizations to enforce compliance with rules and regulations by their employees. However, besides being a document that dictates the rules of the workplace, policies can also serve as guidelines for end users to follow before an attack takes place and as a survival guide during and after an attack occurs. While policies do not inherently stop malware at a technical level, if written properly they can address known issues or concerns with respect to data security and arm employees with useful information that could prevent an infection from spreading. Policies may also direct them to provide feedback to IT support to remedy a reported issue before it becomes a larger problem. Policies should always be considered "drafts" in a sense. Technology is dynamic and ever changing, so the policies that are in effect must change too. Also, be mindful of any restrictions or regulations that may apply to your field. Depending on the industry, writing policies can get tricky and should be addressed with management (and perhaps legal) teams for accuracy and compliance. 8: Change management documentation As with instituting policies, there is no direct correlation between documenting change management process (or recording all changes to clients/servers, including patch deployment, software upgrades and baseline analyses) and preventing ransomware outright. However, detailing changes made to systems configurations, along with the other measures previously listed, can have a profound effect on IT's ability to respond to threats proactively or reactively. Furthermore, it allows for adequate testing and measurement of results that any changes made to systems has on services provided and uptime availability. Lastly, it offers a record of the changes made (alongside their results), which administrators, contractors, and other support personnel can review to determine the cause of some issues or possibly address their recurrence in the future. For a comprehensive set of documentation to be useful, you need input from various support teams—including systems and network administrators, help desk staff, and management—to create a documentation process that is effective yet simple to follow and easy to manage. 9: End-user training Never underestimate the value of proper training for all staff, not just IT. Protecting against malware is not solely IT's job. It's everyone's responsibility since it affects everyone and can be essentially brought on by anyone at the organization. Considered a preventative measure, training that focuses on identifying possible malware attacks, such as phishing, can be an effective tool in preventing malware campaigns against your organization from compromising sensitive data. End-user training should center not just on identifying malware attack attempts, but should also target mitigation techniques that users can take to prevent or slow down infections should they suspect their computers have been compromised. Finally, no training is complete without informing users about the organization's expectations with respect to their responsibilities on reporting issues the instant they spot something out of the norm. 10: Risk management assessments The aim of a risk assessment (RA) and risk management (RM) process is to identify internal and external threats (also called hazards) and the equipment and services that are affected by them, as well as to analyze their potential impact. The management portion of RA involves evaluating this data to prioritize the list of risks and identify the best plan of action in mitigating them. RA and RM can help you pinpoint the trouble spots and implement an ongoing plan to prevent these issues from negatively affecting your organization. At the very least, RA/RM allows IT to focus its efforts on aligning the company's resources with the devices that pose the greatest threat if compromised, such as mission-critical systems. This process enables IT, management, and compliance/regulation entities to best determine the path forward in identifying equipment, mitigating hazards, determining the order in which to resolve threats, and evaluating the assessment itself so that procedures can be updated and corrective actions modified as risks change over time. Article
  7. Bitdefender 2017 Build 21.0.25.92 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/76152-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.92 This version fixes the following issues: • Bitdefender Device Management would fail to connect with Windows KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.92 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.92 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.92 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 30 May 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 361535368 bytes MD5: 7953aad2edffcfcb19ed2eb4873627a7 SHA-1: 28c8aacf2aeb45345e8c9cdf34498dd8b0b5e1f0 SHA-256: 2da353fb0074db3fa0fd30c598e90817b3e43a85b4ff2fff9890636e97d1c2c4 SHA-384: c33279fd5c06f9a0e357e1e542a83f2964c84f409c419f59a8144c16fa73af539909b26928285ddf2f68c14702778245 SHA-512: ea2a46c91ebfdeade38d9da8cf53b33f3b1407ea83d18e0b5c20185820510b4c6a00ef4b15746599f9aef3dc34039c8f352ee1a32c052e5c3c1552a281c749ae bitdefender_ts_21_64b.exe (application/octet-stream) - 387255184 bytes MD5: f9cf114359ad76ad95216b43b722a016 SHA-1: 24c67202d6a92d488111aca6952b5b3d2d0a9822 SHA-256: 607999fb8be6a6d3322922548007258d19bdd2e046812ad47bde3186f66801ef SHA-384: a0597b34674815703d3ba192582e297fdbe830bed3faff85ddb1e295879390e5b1d6a2339986fae9a401d13affdd27ac SHA-512: d82fe9b728c14dd3685d52fff2d2e58acaf522f4e71a60cb36b95dda178348f60448b47509ebee5782d1f5cb12d6ff4237b404bc8f1fb024dcf976badd3717ea Bitdefender 2017 Offline Installation Guide:
  8. A self-proclaimed member of the Anonymous hacker collective is behind a campaign to spread the Houdini RAT and is currently looking into deploying the MoWare H.F.D ransomware. The name of this "hacker" is Mohammed Raad, according to his Facebook profile, but he also goes online by the nickname of "vicswors baghdad," according to his Facebook, Twitter, Google+, and YouTube profiles. While there are countless of people who download and fool around with malware kits, Recorded Future claims this actor took it one step further by launching real-world campaigns. Recorded Future: Raad behind some Houdini campaigns Raad's actions would have gone unnoticed if he wouldn't have weaponized and started distributing Houdini (or H-worm), a VBScript-based RAT that was created and first spread in 2013. His biggest mistake was by using PasteBin to store the RAT's main body, a VBScript file. Because threat intelligence firm Recorded Future regularly scrapes and archives PasteBin uploads, his actions were uncovered earlier this month, after experts observed an overall increase in VBScripts posted on online paste sites. Analyzing this surge, experts realized that most of the scripts were the Houdini VBScript. Analyzing the data, they identified three spikes of activity in August 2016, October 2016, and March 2017. Recorded Future experts believe an infected computer would download the VBScript from the paste site, which would later connect to a C&C server and gain persistence on the infected host by setting up a local folder and registry key. Raad registered a C&C domain under his real name To find more details on who was behind this surge in VBScripts on paste sites, researchers took a look at all the C&C server URLs found inside the Houdini scripts. This search identified C&C servers hosted on 105 subdomains for dynamic DNS providers (ddns.net, no-ip.com, etc.), but also one clear net domain. That domain was microsofit[.]net, which was registered by Raad. At this point, researcher realized that many of the other 105 dynamic DNS subdomains were variations on this actor's name, either using Raad or the word Mohammed in the subdomain name (mohammadx47.ddns.net; mohamedsaeed.ddns.net; etc.). It didn't take long for researchers to find Raad's social media profiles, where they found his affiliation with the Anonymous hacker collective, inclination for dabbing in malware, and messages through which he entered promotions for the dynamic DNS services he used in the C&C server infrastructure. Raad is playing around with ransomware Furthermore, they found comments made by Raad on a YouTube video advertising the MoWare H.F.D ransomware, asking the author for a copy of the ransomware package. A few days later, Raad posted an image on Facebook showing the MoWare ransomware source code, implying that he received a copy, and was currently editing the code. There is no evidence the author released his ransomware in the wild. Raad's social media profiles suggest he's an Iraqi national living in Munich, Germany. Raad did not respond to a request for comment from Bleeping Computer in time for this article's publication. Other actors leveraging paste sites According to Recorded Future experts, malware authors are increasingly abusing paste sites as cogs in their malware distribution campaigns. A day before the report unmasking Raad's activity, Recorded Future experts uncovered the activity of another crook, going by the name of Leo and wzLeonardo. Experts say Leo was using a VBScript hosted on Pastebin that when executed would install the njRAT remote access trojan on the victim's computer, while also downloading encrypted RAT encrypted strings stored on HasteBin, another paste site. Recorded Future believes Leo is based either in Brazil or Tunisia. Source
  9. Microsoft remains a strong brand despite WannaCry Many blamed Microsoft for the recent WannaCry ransomware fiasco, claiming the software giant should continue providing support for Windows XP and deliver patches for all Windows versions faster, but despite all this criticism, Microsoft remains a well-loved brand. Or at least, this is what a new survey conducted by Morning Consult reveals, with 83 percent of the respondents still viewing the brand favorably a week after the WannaCry outburst started. There are indeed 57 percent of users who said they were concerned about Microsoft products in the future after WannaCry, but on the other hand, 22 percent of them said they weren’t too concerned despite the risks of getting infected. 8 percent pointed out they weren’t concerned at all. The good news for Microsoft is that 39 percent of the people who participated in the survey claimed they still planned to buy Microsoft products, while only 25 percent said they would have second thoughts when facing such a decision. Windows 7, biggest victim of WannaCry Furthermore, a total of 8 percent of the respondents say they are “much more likely” to purchase Microsoft products in the future given the quick reaction of the company to the ransomware, while another 9 percent explained they are “much less likely” do it. “The strength of Microsoft’s brand leaves it largely unscathed by the recent security issue — unlike its tech industry peer Yahoo Inc. After disclosing its own data breach, Yahoo’s favorability fell 10 percentage points, polling shows,” Morning Consult says. “Safety appears to be a top priority for people: Most of those surveyed say they are quick to download the latest security updates and have various passwords across platforms.” For what it’s worth, Windows XP wasn’t the biggest victim of the WannaCry ransomware, but Windows 7, which actually got patches from Microsoft earlier this year on Patch Tuesday. This means that most of the systems that were infected were actually outdated, either due to pirated licenses or because system administrators blocked updates from installing because of various reasons. Source
  10. According to a linguistic analysis of the WannaCry ransom notes, the ransomware appears to be the work of a Chinese-speaking author, according to Jon Condra and John Costello, two Flashpoint researchers. After analyzing each of WannaCry's localized ransom notes, available in 28 different languages, the two feel pretty confident the ransom note was written by persons fluent in Chinese, but also in English. Two ransom note templates discovered: English & Chinese In fact, researchers say that there appear to be two ransom notes at the base of all other WannaCry notes. There is one written in Chinese, and one in English, which was used as the template for the other ransom notes. Flashpoint researchers say that if someone would be to take the text of WannaCry English ransom note and pass it through Google Translate, he'd get translations that are on average 95% identical with the ransom notes found in the real WannaCry package. This has led researchers to believe that the WannaCry author — or authors — have used the English note as a boilerplate for the other languages, except Chinese. This is because Google Translate yields better translations from English to other languages. On the other hand, translating between other languages gives many errors and inaccurate translations. WannaCry Chinese ransom notes are different from the rest But the reason why Flashpoint researchers believe WannaCry is the work of a Chinese-speaking user is because of the two Chinese ransom notes — Simplified and Traditional — which are lengthier, differ in format compared to the English version, and are written by a person knowledgeable of the intricacies of the Chinese language. Below are the key findings of the Flashpoint research: On the other hand... So there you have it. It's now up to you to decide if you believe the North Korean attribution angle, or this new theory hinting that a Chinese-speaking user/group was behind the ransomware. WannaCry ransom notes support the following languages: Source
  11. WannaCry - close to 400 samples found in the wild WannaCry is one of the worst malware out there, mostly because it mixes a ransomware element with a worm component that helped it spread like wildfire. So far, close to 400 malware samples have been discovered in the wild. Security researchers from Trustlook have announced that, by their count, 386 WannaCry malware samples have been recorded to date. Despite there being just a little over a week since WannaCry hit the news, infecting some 300,000 devices in 150 countries, hackers seem to have flexed their muscles quite a bit. As you know, WannaCry uses two NSA-hacking tools disclosed after hacker group Shadow Brokers dumped classified documents online. EternalBlue is a tool that takes advantage of a Windows vulnerability, while DoublePulsar helps it spread through networks. The Windows vulnerability has since been patched and users are advised to update their systems if they haven't done so until now, as well as to install a security solution on their devices. It is believed that the original WannaCry infections didn't stem from someone carelessly falling for a phishing email scheme, but rather from the attackers scanning for open ports. As mentioned above, Microsoft has released a patch and created one even for Windows XP, which had been discontinued and was no longer receiving security updates. It was believed that many of those infected were actually using XP, but later data shows that the truth was quite far from that and that most of the devices that fell prey to WannaCry were running Windows 7. The long list of consequences The NSA dump has quite a lot of consequences and they're only going to be more apparent. WannaCry was just the start, complete with its 386 samples. A new worm was discovered by researchers, called EternalRocks, which uses seven NSA hacking tools, compared to two used by WannaCry. Thus far, EternalRocks has not been weaponized with any type of malware, trojan and so on, but this can be done at any time. Source
  12. I think everyobdy knows now that what's going on in the world by the name of wanacry. My friends have been the victims of this too. So just wondering if there're more here? And also if some can can help prevent it? Tips?
  13. Ransomware decrypts Taiwanese netizen's computer due to his low income Netizen e-mailed the help line of ThunderCrypt because he couldn't afford the ransom TAIPEI (Taiwan News) --On May 4, a Taiwanese netizen emailed the helpline of ThunderCrypt ransomware after his PC got infected, and said that he only makes $400 monthly, and he couldn't afford the 0.345 bitcoin he was asked to pay. He later got decrypted by the helpline because they thought they have largely overestimated the nation's income. A Breaking News Commune (爆料公社) member posted images of email correspondence between a netizen and an apparent representative of the ransomware ThunderCrypt on May 15. The netizen was asked to pay 0.345 bitcoins after the ransomware locked down all the files on his infected computer, he wrote an email to the customer service with title “I only make US$400 a month, you really wanna do this to me?” saying that he could not afford the ransom to decrypt his computer. ThunderCrypt responded to his message and told the netizen that they have switched it to decryption mode and will start to unlock his computer automatically soon. It also admitted that their Taiwanese campaign was a failure because they “largely overestimated” the average income of the nation. On Friday May 12, a similar ransomware was launched called WannaCry, also known as Wanna Decryptor or wcry, which affected more than 100,000 organizations in 150 countries with Taiwan among the top targets.
  14. Master Keys for Wallet Ransomware Posted to BleepingComputer Forums (May 18, 2017) Decryption keys for Wallet ransomware have been posted to the BleepingComputer online forums. It is not clear exactly why the malware creators have released the keys. The ransomware family of which Wallet is a part often releases keys when it has switched to a new extension. The attackers may also have surmised that they are not going to make any more money from that particular variant. Source
  15. Numbers released by Kaspersky Lab on Friday reveal that over 98% of all documented WannaCry infections were running versions of the Windows 7 operating system. Out of all Windows 7 users, the worst hit were users running Windows 7 64-bit edition, accounting for more than 60% of all infections. The second and third most targeted OS versions were Windows Server 2008 R2, and Windows 10, respectively. So! XP wasn't to blame after all The statistics come to disprove popular belief that WannaCry hit mostly Windows XP machines. "The Windows XP count is insignificant," said Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab. To infect all these computers, the WannaCry ransomware used an SMB worm that spread on its own to new computers that ran vulnerable SMB services. That SMB worm was powered by an exploit named ETERNALBLUE. The exploit is part of a collection of hacking tools a group of hackers calling themselves The Shadow Brokers have stolen from the NSA and leaked online in April 2017. ETERNALBLUE never worked properly on XP, only on Windows 7 Initial analysis of ETERNALBLUE revealed the worm could run on platforms from Windows XP up to Windows 8.1 and Server 2012. It was during the WannaCry outbreak that researchers discovered the worm only worked reliably on Windows 7, causing errors on other platforms, including Windows XP, on which most infosec talking heads falsely blamed for most WannaCry infections. Following this discovery, a user has patched the ETERNALBLUE exploit to work without errors on 64-bit editions of Windows 8/8.1 and Windows Server 2012. Currently, WannaCry's worm modules are still searching for new victims. The latest tally of computers that have been touched by this worm is 416,989, albeit not all computers have had their files encrypted, as WannaCry's ransomware payload has been defanged by a clever British researcher. Bleeping Computer has reached out to Kaspersky Labs to inquire on why we see Windows 10 machines in the chart, and any possible scenarios that WannaCry could have used to infect those systems. Article source
  16. Windows XP still has a market share of 7 percent The WannaCry ransomware outburst that started last week compromised a total of 1,500 Windows XP computers at NHS Scotland, Health Secretary Shona Robison revealed, adding that the organization still has some 6,500 PCs running the unsupported operating system. Speaking about the outcome of the WannaCry attack, Robison explained that systems running other versions of Windows were also compromised, including many powered by Windows Server 2003. “At the moment we understand mainly Windows 2007 and Windows 2003 devices were affected and only a small number of Windows XP devices were affected,” Robison said in a statement. “I know Windows XP has been an issue raised within the media. What I can say about that is there are approximately 6500 XP devices out of around 153,000 total devices, less than 5%.” No patient data exposed On the other hand, authorities in Scotland explain that no breaches of patient data were experienced and no information was stolen as part of the attack, as hackers only demanded a ransom payment to restore access to files. Robison went on to explain that the government is currently working on plans to prevent similar infections in the future, without revealing whether an upgrade from Windows XP to a supported operating system is planned or not. “Reviews are already underway to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future,” she said. Windows XP was launched by Microsoft in 2001 and no longer receives support since April 2014. XP was one of the versions targeted by WannaCry, with Microsoft itself deciding to roll out a patch, despite the operating system being unsupported, to prevent the ransomware from exploiting a known vulnerability in the OS. At this point, Windows XP has a global market share of 7 percent, but after the WannaCry fiasco, more users are likely to migrate to a newer operating system as soon as possible. Source
  17. The NHS has been hit by a major cyber attack, with hackers demanding a ransom. Hospitals are understood to have lost the use of phonelines and computers, with some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled. Several hospital trusts and GP surgeries are reporting problems, but the full scale of the problems is not yet known. NHS hospitals across the North, East and West Midlands, and London are reporting IT failures, in some cases meaning there is no way of operating phones or computers. At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack. Patients have been told not to come to A&E and all non-urgent appointments and operations have been cancelled. East and North Hertfordshire NHS trust said in a statement: “Today the trust has experienced a major IT problem, believed to be caused by a cyber attack. “The trust is postponing all non-urgent activity for today and is asking people not to come to A&E - please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency. “To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.” Health officials are understood to have declared a major incident and ordered a meeting of national resilience teams. NHS Digital said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” There are reports that trusts affected include East and North Hertfordshire, North Cumbria, Morecambe Bay hospitals, Blackpool, and Barts Health in London. A number of GP surgeries also say they are also unable to use their systems. One source told Health Service Journal that multiple trusts had been affected by a suspected malware attack around 1.30pm. They said trusts had their computer systems almost entirely shut down. Services affected are thought to include picture archiving communication systems for x-ray images, pathology test results, phone and bleep systems and patient administration systems. The source added: “This will mean delays and a focus on the sickest patients. I’ve seen it once before and we relied on local trusts supporting each other. If truly widespread then that’ll not be an option.”
  18. A new strain of ransomware has recently been discovered, which employs old tactics by cybercriminals, but still takes advantage of the rapid rise of the value of Bitcoin. Dubbed "Jaff", the malware was detected by MalwareHunterTeam. It was found to be distributed via the Necurs botnet, which is an infamous distributor of malware like Locky, which it closely resembles. Like many ransomware, it employs the classic technique of sending spam emails that are designed to look important to the receiver. Macro used as decoy by cybercriminals | via Malwarebytes Labs A PDF file will be downloaded, which will subsequently open a .docm Word file. At this point, the document will ask the receiver to click "Enable Content" to reveal the message. However, doing so will start the file's dirty work. According to BleepingComputer, it will begin to gather information about the user, and then execute a number of files. Moreover, once the Jaff installer is executed, this will start the encryption process, which will lock a large number of files, appending ".jaff" to all of them, preventing proper access. Once this process is done, a lock screen will be displayed, asking victims to go to a Tor website to find out how they can decrypt their files. The ransomware is demanding for 2 bitcoins, which is currently equal to roughly $3,600. Unfortunately, in an analysis conducted by Fabian Wosar of Emsisoft, there is no known way of decrypting infected files without paying a ransom. Many ransomware variants are known to exploit Word/Excel macros, as cybercriminals can easily make receivers believe that a sensitive document has been sent to them, making it easy to enable the content and launch the doom within. Despite this, this ransomware is a good reminder to be careful of our activities on the internet, as cybercriminals are now getting more creative to trap victims, aiming to drain them of their hard-earned money. Source
  19. Updated systems have the patches to block the ransomware, Microsoft says WannaCry is becoming the largest ransomware infection in history with attacks now expanding from Europe to the United States, but Microsoft says that users who are running a fully up-to-date Windows 10 system with Windows Defender running the latest virus definitions are completely secure. The infection has already made lots of high-profile victims in Europe, including the British National Health System (NHS) and other organizations in Spain, and exploits seem to be based on a leaked NSA vulnerability that reached the web last month. At that point, security experts warned of imminent attacks on Windows systems due to what it seemed to be unpatched zero days in the operating system, but Microsoft played down all these claims saying that users running the latest patches were fully secure. The same is happening this time as well, as Microsoft says that Windows users (regardless of their Windows version as long as they’re still supported – so Windows 7, 8.1, or 10) with the most recent updates installed (May 2017) and with the latest Windows Defender virus definitions are not vulnerable to attacks launched with this new form of ransomware. Windows XP users completely vulnerable On the other hand, WannaCry can still make millions of victims due to the fact that Windows XP and Windows Vista are still running on a hefty share of desktops out there, with both operating systems no longer receiving updates and security patches from the company. Third-party market share data puts Windows XP at nearly 7 percent market share, and the NHS itself has previously been criticized for still running this unsupported Windows version on its systems. Updates for Windows XP are no longer released since April 2014. The WannaCry ransomware locks down computers and requires a ransom of $300 in Bitcoin. The attacks are believed to be based on a vulnerability discovered by the NSA and which was leaked to the web by Shadow Brokers last month. Once again, it’s critical for both home users and organizations to bring their systems fully up-to-date as soon as possible, especially because the number of attacks is growing with every minute and is now expanding to new regions. Source
  20. Amnesia ransomware has a decryption tool now A new decryption tool for ransomware victims has been released, this time for those affected by the Amnesia Ransomware. Over the weekend, Emsisoft announced they had a new decryptor ready for Amnesia, a ransomware that was spotted just earlier this month. According to the company's CTO and malware researcher Fabian Wosar, the malware has had another variant released called CryptoBoss. This new family of ransomware was named Amnesia based on the extension that gets added to encrypted files by the first variant (.amnesia). The CryptoBoss variant has yet to get a decryptor, but researchers are working on it. Amnesia victims, however, are lucky to get this tool to use. The ransom note can be found in each folder that holds an encrypted file. "HOW TO RECOVER ENCRYPTED FILES.TXT" is the name of the file which contains a personal ID, which should be included in an email sent to a certain address included in the file. How does it work? In order to decrypt your files, you need to download the decryptor first. In order for the decrypter to work, you need both the encrypted and unencrypted file and drag and drop them on the executable. A good way to find a pair of files to use is to look for the sample pictures found in the default Windows folders. It may take a while until the decryptor discovers the key that was used to encrypt all the files, but it can then be used to fix all the files on your computer. The decrypter will automatically display a list of drives that will be decrypted and if there are any left out, you can add them on your own. Once everything is there, you can click the Decrypt button to start the process and you'll see each file get listed as it gets fixed. The encrypted files may still be on your computer, so you'll have to make sure you've already properly decrypted all the files before removing or archiving the affected files. Source
  21. A new Ransomware-as-a-Service has become available on the Dark Web, named FrozrLock, available for only $220, and advertised under the tagline of "great security tool that encrypts most of your files in several minutes." Bleeping Computer received a tip about FrozrLock’s existence from security researcher David Montenegro, and with help from Avast security researcher Jakub Kroustek, we were later able to tie it to previous ransomware infections as early as April 16. “First detections were from Russia, without making any conclusions about its origin,” Kroustek said in a private conversation. “[It was] spreading via JS downloaders named as Contract_432732593256.js,” he said. At the time, the ransomware had no name, but we called it AutoDecrypt in the Weekly Ransomware round-up of that week, based on the name of its decrypter. In the meantime, more details have surfaced. Below is the homepage of the FrozrLock RaaS in full. Based on the details listed on the homepage, we extracted the following FrozrLock features (not confirmed): Coded in C# Multi-threaded Supports .NET > 4.5 Automatically deletes loader after infecting victim Doesn’t alter file extensions Self-deletes after payment was received All ransomware builds are obfuscated on the RaaS server and offered for download to customers Tor-based control panel Customers get unlimited rebuilds Ransomware uses unique keys for each encrypted file Can use Twofish256, AES256, and RSA4096 encryption Wannabe crooks that had their interest piqued by this offering must register on the site to gain access to an account. Once they’ve created an account, they’re granted access to the ransomware’s web-based builder interface. To use the builder and produce a fully-working ransomware, clients must buy a license, currently worth 0.14 Bitcoin (around $220). The ransomware’s evolution is also recorded in a professional-looking changelog. The homepage lists the FILE FROZR name, but once users register and buy a license, the dashboard displays the FrozrLock name instead. Below is an image of the FrozrLock customer dashboard where customers can monitor infections. FrozrLock decrypter - auto FrozrLock decrypter - manual FrozrLock decrypter - alternate manual A typical ransom note shown by a FrozrLock ransomware variant looks like the image below. FrozrLock's author(s) declined to comment for this article. SHA256 hash: 2aa4c7708a49a6f1f462f96002dd2ce6fd27c7daf69647162116919b2df5abcd Source
  22. Bitdefender 2017 Build 21.0.25.84 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/75881-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.84 This version fixes the following issues: • Rare issue where the Virus Shield would report a invalid current state 0 • Rare issue where the interface would go transparent while connected via RDP • Firewall crash caused by late BFE startup • Widget not saving its position after reboot The following improvements were included: • Added support for Korean and Vietnamese • Product interface fixes and improvements • Interface functionality • Rescue mode changed to Rescue Environment under Windows 10 • SafePay's ability to handle foreign languages • FileShreder engine functionality • Event engine functionality • Update engine functionality • Agent's functionality • Wallet's compatibility with several websites • Wallet's ability to handle browser extensions • Product stability KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2017 Offline Installation Guide:
  23. Bitdefender 2017 Build 21.0.25.80 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/75881-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.80 This version fixes the following issues: • Rare issue where the Virus Shield would report a invalid current state 0 • Rare issue where the interface would go transparent while connected via RDP • Firewall crash caused by late BFE startup • Widget not saving its position after reboot The following improvements were included: • Added support for Korean and Vietnamese • Product interface fixes and improvements • Interface functionality • Rescue mode changed to Rescue Environment under Windows 10 • SafePay's ability to handle foreign languages • FileShreder engine functionality • Event engine functionality • Update engine functionality • Agent's functionality • Wallet's compatibility with several websites • Wallet's ability to handle browser extensions KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2017 Offline Installation Guide:
  24. Trustlook says a big part of ransomware victims pay the fees About 40% of ransomware victims pay to get their devices unlocked as more and more people get affected by such schemes. According to a new research from cybersecurity firm Trustlook, it's not just businesses that are threatened by ransomware, but also random, regular Internet users. The latter, it seems, are easier targets and have fewer resources than major companies to combat criminals, which is why they are the most likely to comply with the demands of these cyber criminals. Trustlook's report indicates that about 17% of consumers have, by this point, been infected with ransomware. 38% of all affected consumers have chosen to pay the ransom, which regularly ranges between $100 and $500, most often than not expressed in Bitcoin. On the other hand, those who have not yet been affected by ransomware present a tough stance, as only 7% say they would pay the fees. The unknown danger Despite the growing popularity of ransomware among cybercriminals who see it as a way to make a quick buck, nearly half of all consumers have not even heard of ransomware before. Furthermore, 48$ of consumers aren't even worried about becoming a victim of a ransomware attack. On the upside, people seem to be cautious with their data, backing up the files on their computer or mobile device, with only 23% of consumers forgoing this detail. "Backup your data to multiple devices, at to at least one device that is not connected to a network. Also, be cautious of emails by checking the sender's email address before clicking any link," says Allan Zhang, co-founder and CEO of Trustlook. His advice comes in perfectly, especially since most ransomware is spread via email phishing schemes. When it comes to mobile ransomware, installing apps from the main app stores instead of going to third-party stores should do the trick. While some infected apps sometimes pass under the radar of Google, for instance, the instances are rare. Source