Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'ransomware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 251 results

  1. WannaCry - close to 400 samples found in the wild WannaCry is one of the worst malware out there, mostly because it mixes a ransomware element with a worm component that helped it spread like wildfire. So far, close to 400 malware samples have been discovered in the wild. Security researchers from Trustlook have announced that, by their count, 386 WannaCry malware samples have been recorded to date. Despite there being just a little over a week since WannaCry hit the news, infecting some 300,000 devices in 150 countries, hackers seem to have flexed their muscles quite a bit. As you know, WannaCry uses two NSA-hacking tools disclosed after hacker group Shadow Brokers dumped classified documents online. EternalBlue is a tool that takes advantage of a Windows vulnerability, while DoublePulsar helps it spread through networks. The Windows vulnerability has since been patched and users are advised to update their systems if they haven't done so until now, as well as to install a security solution on their devices. It is believed that the original WannaCry infections didn't stem from someone carelessly falling for a phishing email scheme, but rather from the attackers scanning for open ports. As mentioned above, Microsoft has released a patch and created one even for Windows XP, which had been discontinued and was no longer receiving security updates. It was believed that many of those infected were actually using XP, but later data shows that the truth was quite far from that and that most of the devices that fell prey to WannaCry were running Windows 7. The long list of consequences The NSA dump has quite a lot of consequences and they're only going to be more apparent. WannaCry was just the start, complete with its 386 samples. A new worm was discovered by researchers, called EternalRocks, which uses seven NSA hacking tools, compared to two used by WannaCry. Thus far, EternalRocks has not been weaponized with any type of malware, trojan and so on, but this can be done at any time. Source
  2. I think everyobdy knows now that what's going on in the world by the name of wanacry. My friends have been the victims of this too. So just wondering if there're more here? And also if some can can help prevent it? Tips?
  3. Ransomware decrypts Taiwanese netizen's computer due to his low income Netizen e-mailed the help line of ThunderCrypt because he couldn't afford the ransom TAIPEI (Taiwan News) --On May 4, a Taiwanese netizen emailed the helpline of ThunderCrypt ransomware after his PC got infected, and said that he only makes $400 monthly, and he couldn't afford the 0.345 bitcoin he was asked to pay. He later got decrypted by the helpline because they thought they have largely overestimated the nation's income. A Breaking News Commune (爆料公社) member posted images of email correspondence between a netizen and an apparent representative of the ransomware ThunderCrypt on May 15. The netizen was asked to pay 0.345 bitcoins after the ransomware locked down all the files on his infected computer, he wrote an email to the customer service with title “I only make US$400 a month, you really wanna do this to me?” saying that he could not afford the ransom to decrypt his computer. ThunderCrypt responded to his message and told the netizen that they have switched it to decryption mode and will start to unlock his computer automatically soon. It also admitted that their Taiwanese campaign was a failure because they “largely overestimated” the average income of the nation. On Friday May 12, a similar ransomware was launched called WannaCry, also known as Wanna Decryptor or wcry, which affected more than 100,000 organizations in 150 countries with Taiwan among the top targets.
  4. Master Keys for Wallet Ransomware Posted to BleepingComputer Forums (May 18, 2017) Decryption keys for Wallet ransomware have been posted to the BleepingComputer online forums. It is not clear exactly why the malware creators have released the keys. The ransomware family of which Wallet is a part often releases keys when it has switched to a new extension. The attackers may also have surmised that they are not going to make any more money from that particular variant. Source
  5. Numbers released by Kaspersky Lab on Friday reveal that over 98% of all documented WannaCry infections were running versions of the Windows 7 operating system. Out of all Windows 7 users, the worst hit were users running Windows 7 64-bit edition, accounting for more than 60% of all infections. The second and third most targeted OS versions were Windows Server 2008 R2, and Windows 10, respectively. So! XP wasn't to blame after all The statistics come to disprove popular belief that WannaCry hit mostly Windows XP machines. "The Windows XP count is insignificant," said Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab. To infect all these computers, the WannaCry ransomware used an SMB worm that spread on its own to new computers that ran vulnerable SMB services. That SMB worm was powered by an exploit named ETERNALBLUE. The exploit is part of a collection of hacking tools a group of hackers calling themselves The Shadow Brokers have stolen from the NSA and leaked online in April 2017. ETERNALBLUE never worked properly on XP, only on Windows 7 Initial analysis of ETERNALBLUE revealed the worm could run on platforms from Windows XP up to Windows 8.1 and Server 2012. It was during the WannaCry outbreak that researchers discovered the worm only worked reliably on Windows 7, causing errors on other platforms, including Windows XP, on which most infosec talking heads falsely blamed for most WannaCry infections. Following this discovery, a user has patched the ETERNALBLUE exploit to work without errors on 64-bit editions of Windows 8/8.1 and Windows Server 2012. Currently, WannaCry's worm modules are still searching for new victims. The latest tally of computers that have been touched by this worm is 416,989, albeit not all computers have had their files encrypted, as WannaCry's ransomware payload has been defanged by a clever British researcher. Bleeping Computer has reached out to Kaspersky Labs to inquire on why we see Windows 10 machines in the chart, and any possible scenarios that WannaCry could have used to infect those systems. Article source
  6. Windows XP still has a market share of 7 percent The WannaCry ransomware outburst that started last week compromised a total of 1,500 Windows XP computers at NHS Scotland, Health Secretary Shona Robison revealed, adding that the organization still has some 6,500 PCs running the unsupported operating system. Speaking about the outcome of the WannaCry attack, Robison explained that systems running other versions of Windows were also compromised, including many powered by Windows Server 2003. “At the moment we understand mainly Windows 2007 and Windows 2003 devices were affected and only a small number of Windows XP devices were affected,” Robison said in a statement. “I know Windows XP has been an issue raised within the media. What I can say about that is there are approximately 6500 XP devices out of around 153,000 total devices, less than 5%.” No patient data exposed On the other hand, authorities in Scotland explain that no breaches of patient data were experienced and no information was stolen as part of the attack, as hackers only demanded a ransom payment to restore access to files. Robison went on to explain that the government is currently working on plans to prevent similar infections in the future, without revealing whether an upgrade from Windows XP to a supported operating system is planned or not. “Reviews are already underway to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future,” she said. Windows XP was launched by Microsoft in 2001 and no longer receives support since April 2014. XP was one of the versions targeted by WannaCry, with Microsoft itself deciding to roll out a patch, despite the operating system being unsupported, to prevent the ransomware from exploiting a known vulnerability in the OS. At this point, Windows XP has a global market share of 7 percent, but after the WannaCry fiasco, more users are likely to migrate to a newer operating system as soon as possible. Source
  7. The NHS has been hit by a major cyber attack, with hackers demanding a ransom. Hospitals are understood to have lost the use of phonelines and computers, with some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled. Several hospital trusts and GP surgeries are reporting problems, but the full scale of the problems is not yet known. NHS hospitals across the North, East and West Midlands, and London are reporting IT failures, in some cases meaning there is no way of operating phones or computers. At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack. Patients have been told not to come to A&E and all non-urgent appointments and operations have been cancelled. East and North Hertfordshire NHS trust said in a statement: “Today the trust has experienced a major IT problem, believed to be caused by a cyber attack. “The trust is postponing all non-urgent activity for today and is asking people not to come to A&E - please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency. “To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.” Health officials are understood to have declared a major incident and ordered a meeting of national resilience teams. NHS Digital said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” There are reports that trusts affected include East and North Hertfordshire, North Cumbria, Morecambe Bay hospitals, Blackpool, and Barts Health in London. A number of GP surgeries also say they are also unable to use their systems. One source told Health Service Journal that multiple trusts had been affected by a suspected malware attack around 1.30pm. They said trusts had their computer systems almost entirely shut down. Services affected are thought to include picture archiving communication systems for x-ray images, pathology test results, phone and bleep systems and patient administration systems. The source added: “This will mean delays and a focus on the sickest patients. I’ve seen it once before and we relied on local trusts supporting each other. If truly widespread then that’ll not be an option.”
  8. A new strain of ransomware has recently been discovered, which employs old tactics by cybercriminals, but still takes advantage of the rapid rise of the value of Bitcoin. Dubbed "Jaff", the malware was detected by MalwareHunterTeam. It was found to be distributed via the Necurs botnet, which is an infamous distributor of malware like Locky, which it closely resembles. Like many ransomware, it employs the classic technique of sending spam emails that are designed to look important to the receiver. Macro used as decoy by cybercriminals | via Malwarebytes Labs A PDF file will be downloaded, which will subsequently open a .docm Word file. At this point, the document will ask the receiver to click "Enable Content" to reveal the message. However, doing so will start the file's dirty work. According to BleepingComputer, it will begin to gather information about the user, and then execute a number of files. Moreover, once the Jaff installer is executed, this will start the encryption process, which will lock a large number of files, appending ".jaff" to all of them, preventing proper access. Once this process is done, a lock screen will be displayed, asking victims to go to a Tor website to find out how they can decrypt their files. The ransomware is demanding for 2 bitcoins, which is currently equal to roughly $3,600. Unfortunately, in an analysis conducted by Fabian Wosar of Emsisoft, there is no known way of decrypting infected files without paying a ransom. Many ransomware variants are known to exploit Word/Excel macros, as cybercriminals can easily make receivers believe that a sensitive document has been sent to them, making it easy to enable the content and launch the doom within. Despite this, this ransomware is a good reminder to be careful of our activities on the internet, as cybercriminals are now getting more creative to trap victims, aiming to drain them of their hard-earned money. Source
  9. Updated systems have the patches to block the ransomware, Microsoft says WannaCry is becoming the largest ransomware infection in history with attacks now expanding from Europe to the United States, but Microsoft says that users who are running a fully up-to-date Windows 10 system with Windows Defender running the latest virus definitions are completely secure. The infection has already made lots of high-profile victims in Europe, including the British National Health System (NHS) and other organizations in Spain, and exploits seem to be based on a leaked NSA vulnerability that reached the web last month. At that point, security experts warned of imminent attacks on Windows systems due to what it seemed to be unpatched zero days in the operating system, but Microsoft played down all these claims saying that users running the latest patches were fully secure. The same is happening this time as well, as Microsoft says that Windows users (regardless of their Windows version as long as they’re still supported – so Windows 7, 8.1, or 10) with the most recent updates installed (May 2017) and with the latest Windows Defender virus definitions are not vulnerable to attacks launched with this new form of ransomware. Windows XP users completely vulnerable On the other hand, WannaCry can still make millions of victims due to the fact that Windows XP and Windows Vista are still running on a hefty share of desktops out there, with both operating systems no longer receiving updates and security patches from the company. Third-party market share data puts Windows XP at nearly 7 percent market share, and the NHS itself has previously been criticized for still running this unsupported Windows version on its systems. Updates for Windows XP are no longer released since April 2014. The WannaCry ransomware locks down computers and requires a ransom of $300 in Bitcoin. The attacks are believed to be based on a vulnerability discovered by the NSA and which was leaked to the web by Shadow Brokers last month. Once again, it’s critical for both home users and organizations to bring their systems fully up-to-date as soon as possible, especially because the number of attacks is growing with every minute and is now expanding to new regions. Source
  10. Amnesia ransomware has a decryption tool now A new decryption tool for ransomware victims has been released, this time for those affected by the Amnesia Ransomware. Over the weekend, Emsisoft announced they had a new decryptor ready for Amnesia, a ransomware that was spotted just earlier this month. According to the company's CTO and malware researcher Fabian Wosar, the malware has had another variant released called CryptoBoss. This new family of ransomware was named Amnesia based on the extension that gets added to encrypted files by the first variant (.amnesia). The CryptoBoss variant has yet to get a decryptor, but researchers are working on it. Amnesia victims, however, are lucky to get this tool to use. The ransom note can be found in each folder that holds an encrypted file. "HOW TO RECOVER ENCRYPTED FILES.TXT" is the name of the file which contains a personal ID, which should be included in an email sent to a certain address included in the file. How does it work? In order to decrypt your files, you need to download the decryptor first. In order for the decrypter to work, you need both the encrypted and unencrypted file and drag and drop them on the executable. A good way to find a pair of files to use is to look for the sample pictures found in the default Windows folders. It may take a while until the decryptor discovers the key that was used to encrypt all the files, but it can then be used to fix all the files on your computer. The decrypter will automatically display a list of drives that will be decrypted and if there are any left out, you can add them on your own. Once everything is there, you can click the Decrypt button to start the process and you'll see each file get listed as it gets fixed. The encrypted files may still be on your computer, so you'll have to make sure you've already properly decrypted all the files before removing or archiving the affected files. Source
  11. A new Ransomware-as-a-Service has become available on the Dark Web, named FrozrLock, available for only $220, and advertised under the tagline of "great security tool that encrypts most of your files in several minutes." Bleeping Computer received a tip about FrozrLock’s existence from security researcher David Montenegro, and with help from Avast security researcher Jakub Kroustek, we were later able to tie it to previous ransomware infections as early as April 16. “First detections were from Russia, without making any conclusions about its origin,” Kroustek said in a private conversation. “[It was] spreading via JS downloaders named as Contract_432732593256.js,” he said. At the time, the ransomware had no name, but we called it AutoDecrypt in the Weekly Ransomware round-up of that week, based on the name of its decrypter. In the meantime, more details have surfaced. Below is the homepage of the FrozrLock RaaS in full. Based on the details listed on the homepage, we extracted the following FrozrLock features (not confirmed): Coded in C# Multi-threaded Supports .NET > 4.5 Automatically deletes loader after infecting victim Doesn’t alter file extensions Self-deletes after payment was received All ransomware builds are obfuscated on the RaaS server and offered for download to customers Tor-based control panel Customers get unlimited rebuilds Ransomware uses unique keys for each encrypted file Can use Twofish256, AES256, and RSA4096 encryption Wannabe crooks that had their interest piqued by this offering must register on the site to gain access to an account. Once they’ve created an account, they’re granted access to the ransomware’s web-based builder interface. To use the builder and produce a fully-working ransomware, clients must buy a license, currently worth 0.14 Bitcoin (around $220). The ransomware’s evolution is also recorded in a professional-looking changelog. The homepage lists the FILE FROZR name, but once users register and buy a license, the dashboard displays the FrozrLock name instead. Below is an image of the FrozrLock customer dashboard where customers can monitor infections. FrozrLock decrypter - auto FrozrLock decrypter - manual FrozrLock decrypter - alternate manual A typical ransom note shown by a FrozrLock ransomware variant looks like the image below. FrozrLock's author(s) declined to comment for this article. SHA256 hash: 2aa4c7708a49a6f1f462f96002dd2ce6fd27c7daf69647162116919b2df5abcd Source
  12. Bitdefender 2017 Build 21.0.25.84 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/75881-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.84 This version fixes the following issues: • Rare issue where the Virus Shield would report a invalid current state 0 • Rare issue where the interface would go transparent while connected via RDP • Firewall crash caused by late BFE startup • Widget not saving its position after reboot The following improvements were included: • Added support for Korean and Vietnamese • Product interface fixes and improvements • Interface functionality • Rescue mode changed to Rescue Environment under Windows 10 • SafePay's ability to handle foreign languages • FileShreder engine functionality • Event engine functionality • Update engine functionality • Agent's functionality • Wallet's compatibility with several websites • Wallet's ability to handle browser extensions • Product stability KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2017 Offline Installation Guide:
  13. Bitdefender 2017 Build 21.0.25.80 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/75881-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.80 This version fixes the following issues: • Rare issue where the Virus Shield would report a invalid current state 0 • Rare issue where the interface would go transparent while connected via RDP • Firewall crash caused by late BFE startup • Widget not saving its position after reboot The following improvements were included: • Added support for Korean and Vietnamese • Product interface fixes and improvements • Interface functionality • Rescue mode changed to Rescue Environment under Windows 10 • SafePay's ability to handle foreign languages • FileShreder engine functionality • Event engine functionality • Update engine functionality • Agent's functionality • Wallet's compatibility with several websites • Wallet's ability to handle browser extensions KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2017 Offline Installation Guide:
  14. Trustlook says a big part of ransomware victims pay the fees About 40% of ransomware victims pay to get their devices unlocked as more and more people get affected by such schemes. According to a new research from cybersecurity firm Trustlook, it's not just businesses that are threatened by ransomware, but also random, regular Internet users. The latter, it seems, are easier targets and have fewer resources than major companies to combat criminals, which is why they are the most likely to comply with the demands of these cyber criminals. Trustlook's report indicates that about 17% of consumers have, by this point, been infected with ransomware. 38% of all affected consumers have chosen to pay the ransom, which regularly ranges between $100 and $500, most often than not expressed in Bitcoin. On the other hand, those who have not yet been affected by ransomware present a tough stance, as only 7% say they would pay the fees. The unknown danger Despite the growing popularity of ransomware among cybercriminals who see it as a way to make a quick buck, nearly half of all consumers have not even heard of ransomware before. Furthermore, 48$ of consumers aren't even worried about becoming a victim of a ransomware attack. On the upside, people seem to be cautious with their data, backing up the files on their computer or mobile device, with only 23% of consumers forgoing this detail. "Backup your data to multiple devices, at to at least one device that is not connected to a network. Also, be cautious of emails by checking the sender's email address before clicking any link," says Allan Zhang, co-founder and CEO of Trustlook. His advice comes in perfectly, especially since most ransomware is spread via email phishing schemes. When it comes to mobile ransomware, installing apps from the main app stores instead of going to third-party stores should do the trick. While some infected apps sometimes pass under the radar of Google, for instance, the instances are rare. Source
  15. Cybercriminals behind the Locky ransomware and Necurs botnet are back in business. Last Friday researchers spotted both delivering nearly 35,000 emails in just a few hours, the first major Locky campaign researchers have seen in months, according to Cisco Talos. Researchers warn the latest Locky campaign is borrowing effective techniques from the credential-stealing malware Dridex, which has become adroit at outsmarting sandbox mitigation efforts. “The payload hasn’t changed but the methodology has,” wrote Cisco Talos researcher Nick Biasini in a research blog published Friday. “The use of PDFs requiring user interaction was recently seen by Dridex and has now been co-opted into Locky,” he said. Last year, Locky behind a series of massive spam campaigns that targeted hospitals with either malicious Word or JavaScript attachments. By December, Cisco reported, Necurs and Locky activity had gone silent. “This could be the first significant wave of Locky distribution in 2017,” according to Biasini. The specifics of the campaign include two variants of emails sent to recipients. One email has no text in the body of the email. In another variant, emails include text consistent with what you might expect from an email that contains payment invoices, receipts or scanned images, according to Baisini. In both cases, subject lines include either the word “Payment” and “Receipt” proceeded by “#” and numbers – for example “Receipt#272”. Filenames of the malicious attachments are customized based on recipient’s email address. Emails include a malicious PDF document with an embedded Word document inside, researchers say. Once opened, the PDF asks the victim for permission to open a Word document. That Word document then asks victims for permission to run an XOR’d Macro that pulls down a malware dropper file. Once Locky is downloaded it encrypts files on the host computer. “The technique used by the adversaries to deliver Locky was just recently used to deliver Dridex and made use of PDF document with embedded Word documents. These Word documents then use macros to pull down the Locky sample and encrypt files. There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies,” Biasini wrote. For a time PDF based compromises were down and Word macro-based compromises were up, Biasini said. “In this campaign they figured out how to disguise a macro-laden Word doc in a PDF, compromising victims around the globe,” he wrote. The latest wave of Necurs activity represents a departure for the botnet which has traditionally been focused on pump-and-dump stock ploys, Russian dating spam, and work-from-home scams, according to the report. Once systems are infected, there is nothing remarkable about how attackers extort money from victims, Biasini wrote. Post infection, the Locky sample used the “/checkupdate C2” structure, previously used by Locky. Attackers demand 1 bitcoin to decrypt files (currently $1,200) which is payable via a TOR Browser-accessible website. “This is an effective technique to defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching an end user’s mailbox,” Biasini wrote. Source
  16. Google has removed a feature of the Android operating system that has been used in the past in ransomware attacks. Starting with Android O (8.0), set to be released in the fall of 2017, Google plans to deprecate the following window types: TYPE_SYSTEM_ALERT, TYPE_SYSTEM_ERROR, and TYPE_SYSTEM_OVERLAY. These are special "system" windows that are shown above any app on the user's screen. As you'd imagine, this is highly valued realty for ransomware developers, who often aim to obtain permissions to show content via these windows. Once they manage to obtain such permission, they use these windows to block the user's access to the rest of his phone and show ransom notes. Google's anti-ransomware efforts sabotaged by OEMs Starting with Android Marshmallow (6.0), Google reclassified the permissions of these system windows to the "Above dangerous" class. Previously, Android had only two permission classes: Normal and Dangerous. The difference between the two is that the Android OS itself can grant apps access to Normal permissions (adjusting timezone, access mundane sensors, etc.), while the user has to grant access to Dangerous permissions himself. For Above Dangerous permissions, requesting apps can provide instructions and the user has to go to an Android settings section, on his own, to grant access to the SYSTEM_ALERT_WINDOW permission, similar to how permissions are granted for Accessibility features and Device Administrators, also two other features often abused by ransomware. Dinesh Venkatesan, Principal Threat Analysis Engineer, says this didn't actually stop Android malware and ransomware authors, who just found various workarounds to get that permission. It also didn't help that certain Android phone manufacturers didn't move this permission in the Above Dangerous category in their modified Android distributions, nullifying Google's work. Google adds button to shut down abuse apps Now, with Android O, for which Google released a developer preview at the end of March, Google has taken this choice away from OEMs and has deprecated three types of system windows often used by ransomware authors. This means ransomware authors will need to find new ways of showing ransom notes and locking users' screens. And to make things even safer, Google is now allowing users to shut down apps that show other types of system windows. Starting with Android O, when ransomware or other malware attempts to lock users via a system window, the user can pull down the Notifications panel and shut down the app that's locking him out of his phone. New button to shut down apps with annoying system windows, at the bottom of the Notifications panel [via Symantec] "It should also be noted that while the new OS features should prove to be a good defense against ransomware variants that use system alert windows, they will not affect other ransomware threats such as those that constantly pop up the lock screen using user level windows," Venkatesan pointed out. Nonetheless, despite these improvements, Google's own Android Security Report showed that malware devs usually target older versions of the Android OS, where these improvements aren't supported. It also helps that there are more devices running Android 4.x and 5.x, less secure Android versions, compared with 6.x and 7.x, meaning malware devs don't have to go through all the trouble to bypass Google's new security features to make profits. So for the time being, ransomware is going to remain a problem on Android, but most likely for users of older OS versions. Last year, with the release of Android Nougat (7.0), Google also added anti-ransomware improvements, by restricting the ability of malware to "programmatically" change device PINs and passwords. Source
  17. The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017. Cerber's rise to the #1 spot is backed up by a flux of new versions that have been released this year, including one that includes some features that allow it to evade security products that rely on behavioral analysis and machine learning. Furthermore, while Locky and TeslaCrypt, 2016's undisputed leaders, were distributed by one group, Cerber has adopted the RaaS model and relies on the greed and money hunger of different groups to keep its distribution going. Backend panel for Cerber ransomware RaaS [Source: David Montenegro] The constant stream of Cerber versions, the RaaS model, and the Necurs botnet dropping Locky and switching to other payloads, has allowed Cerber to rise well above other ransomware distributions. According to the Malwarebytes "Cybercrime tactics and techniques" Q1 report, Cerber is nearing 90% in terms of ransomware distribution, very close to the all-time dominant position that TeslaCrypt had in May 2016, just before it voluntarily shut down. Ransomware distribution in the first months of 2017 [Source: Malwarebytes] But while the chart above shows distribution numbers, not all of those are infections. A similar chart is provided below by the team at ID-Ransomware, which relies on infected users that are trying to identify the name of the ransomware that has infected their computer. This chart, covering the last ten days, also shows Cerber dominating other ransomware families, such as Spora, Shade (Troldesh), Locky, and Sage. Ransomware infections in the last 10 days [Source: MalwareHunterTeam] Statistics from Microsoft, also show Cerber as the primary ransomware infection on enterprise endpoints, taking up over a quarter of all ransomware infections. Ransomware encounters on enterprise endpoints [Source: Microsoft] Right now, Cerber may be dominating, but if history teaches us anything, is that this won't last long. Either the Cerber crew will shut down their operation on their own (like TeslaCrypt), or they'll move to a new business model (like the Locky/Necurs crew), or they'll end up under arrest (like BitCryptor/CoinVault). Nonetheless, they'll also be another ransomware family waiting in the shadows to take Cerber's place. Right now, that ransomware seems to be Spora. Below are the results of a new study on ransomware awareness published today by Trustlook: 48% of consumers are not worried about becoming a victim of a ransomware attack 17% of consumers have been infected with ransomware 38% of affected consumers paid the ransom $100-$500 was the dollar range of ransomware payouts by consumers 45% of consumers have not heard of ransomware 23% of consumers do not backup the files on their computer or mobile device 7% of non-impacted consumers say they would pay the ransom if they were hacked Source
  18. Lots of Android ransomware news this week even though Google feels they are pretty rare. Also some updates to tools created by Michael Gillespie (CryptoSearch & ID-Ransomware), a new RaaS, a new PyCL ransomware being distributed via RIG, and ransomware asking for 6 bitcoin ransoms while making fun of USA sanctions on Russia. Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @malwrhunterteam, @BleepinComputer, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @kafeine, @FreeBSDfan, @rommeljoven17, @BroadAnalysis, @nyxbone, @Malwarebytes, @Google, @zscaler, and @Lookout. If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter. March 25th 2017 CryptoSearch Updated to Support Files Encrypted by Spora Michael Gillespie has updated CryptoSearch so that it now supports files encrypted by Spora Ransomware. New Ransomware called WannaCry GData security researcher Karsten Hahn found a new ransomware called WannaCry. Spanish Ransomware Pretends to be a Windows Update Karsten Hahn found a Spanish ransomware that uses Smart Install Maker and bunch of .vbs scripts to encrypt a computer. When run it pretends to be Windows Update. In-Dev MemeLocker Discovered Karsten Hahn keeps pumping out the new ransomware infections with MemeLocker. This ransomware is in development, but based on its name, I hope we wont see pictures of cats everywhere. March 28th 2017 Unskilled Group Behind Many Junk Ransomware Strains A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware. Yesterday's iOS 10.3 Update Bring Safari Ransomware Campaign to an End According to Lookout, the iOS 10.3 update, released yesterday, has thwarted a screen-locking ransomware campaign that used a bug in mobile Safari to lock users' browsers and demand a ransom paid in iTunes pre-paid gift cards. PyCL Ransomware Delivered via RIG EK in Distribution Test This past Saturday security researchers Kafeine, MalwareHunterteam, BroadAnalysis, and David Martínez discovered a new ransomware being distributed through EITest into the RIG exploit kit. As this ransomware was only distributed for one day and does not securely encrypt files, it makes me believe that this may have been a test distribution run. R Ransomware Discovered R is for Ransomware according to the new ransomware discovered by MalwareHunterTeam. Not sure what the big S is for at the bottom of the ransom page. Skulls are Creepy According to the AnDROid Ransomware MalwareHunterTeam discovered another ransomware today called AnDROid. This ransomware appends the .android extension to encrypted files. Even cooler the skull is animated. Such skillz!! Ransom Hunt Underway for pr0tect Ransomware Michael Gillespie initiated a ransomware hunt for that uses the .pr0tect and drops a ransom note called READ ME ABOUT DECRYPTION.txt. March 29th 2017 Explained: Sage ransomware Malwarebytes explains how Sage is yet another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product. HappyDayzz Sample Found MalwareHunterTeam found a sample of the HappyDayzz Ransomware. What is interesting about this ransomware is that it uses different encryption algorithms depending on the response from the C2 server. DoNotChange Ransomware Discovered MalwareHunterTeam found a sample of the DoNotChange Ransomware. New RaaS called File Frozr Discovered Rommel Joven discovered a new RaaS called File Frozr. March 30th 2017 Decryptor for the DoNotChange Ransomware Released Michael Gillespie released a decryptor for the DoNotChange Ransomware. Instructions can be found here. Google: Ransomware on Android Is Exceedingly Rare Android apps spreading ransomware aren't as common as most users and security experts think, says Jason Woloz, Sr. Program Manager for Android Security at @Google. CryptoSearch Updated to Support Files Encrypted by FadeSoft Michael Gillespie released an updated version of CryptoSearch that supports files encrypted by FadeSoft. ID-Ransomware can now Identify Files Encrypted by FadeSoft Michael Gillespie added support for FadeSoft identification to ID-Ransomware. March 31st 2017 New Android Ransomware Evades All Mobile Antivirus Solutions Zscaler has spotted a new strain of Android ransomware that could evade detection on all mobile antivirus engines at the time of its discovery. Currently targeting Russian-speaking users, this ransomware lacks basic decryption functionality. This means that users infected with this ransomware version cannot unlock their phones and regain access to their data, even if they pay the ransom. Introducing the Ugly LanRan Ransomware Don't ransomware developers have any pride anymore? This is obviously not apparent with the LanRan ransomware discovered by Karsten Hahn. This ransomware appears to be in-dev as it just sets the background and displays an ugly ransom lock screen. The contact email for this crapsomware is [email protected] New Variant of the Fantom Ransomware MalwareHunterTeam discovered a new variant of the Fantom Ransomware. When I took a look, its quite different then its predecessors. This variant will encrypt files and rename them to a base64 encoded filename with an extension that is based on the time the ransomware started. The extension format is .. An example is Ny5wbmc=.11232323. The ransom note is named in a similar manner with a name like RESTORE-FILES..11232323.hta. It logs the status of the infection process by retrieving one of these two images hxxp://iplogger.ru/1qzM6.gif or hxxp://iplogger.ru/1wzM6.gif. If its detects the user is from Russia, it terminates the process and deletes the infection from the computer. New version of CrypVault Found Karsten Hahn found a new version of CrypVault. This variant tells victims to contact [email protected] Ransom Hunt Underway for Cradle Ransomware Michael Gillespie initiated a ransomware hunt for that uses the extension .cradle and drops a ransom note called _HOW_TO_UNLOCK_FILES_.html. Sanctions Ransomware Makes Fun of USA Sanctions Against Russia If you want to know what some ransomware developers think about the USA, you can get a good idea from the ransom note of the Sanctions Ransomware that was released in March. Dubbed Sanctions Ransomware due to the image in the ransom note, the developer makes it fairly obvious how they feel about the USA and their attempts to sanction Russia. Source
  19. UEFI ransomware stored in the firmware of a Gigabyte BRIX Yesterday, at the BlackHat Asia 2017 security conference, researchers from cyber-security firm Cylance disclosed two vulnerabilities in the firmware of Gigabyte BRIX small computing devices, which allow an attacker to write malicious content to the UEFI firmware. During their presentation, researchers installed a proof-of-concept UEFI ransomware, preventing the BRIX devices from booting, but researchers say the same flaws can be used to plant rootkits that allow attackers to persist malware for years. Gigabyte preparing to release firmware updates Cylance researchers said they've identified these flaws at the start of the year, and have worked with Gigabyte, American Megatrends Inc. (AMI), and CERT/CC to fix the flaws in time. Affected Gigabyte devices include GB-BSi7H-6500 (firmware version vF6), and GB-BXi7-5775 (firmware version vF2). Gigabyte is expected to release firmware vF7 for GB-BSi7H-6500 devices in the upcoming days. The GB-BXi7-5775 line is not being produced anymore and has reached EOL (End Of Life), so Gigabyte won't be releasing a new firmware for this series. Vulnerabilities allow hackers to tamper UEFI firmware files The two vulnerabilities discovered by Cylance researchers are CVE-2017-3197 and CVE-2017-3198. The first is a failure on Gigabyte's part to implement write protection for its UEFI firmware. The second vulnerability is another lapse on Gigabyte's side, who forgot to implement a system that cryptographically signs UEFI firmware files. The second flaw also covers Gigabyte's insecure firmware update process, which doesn't check the validity of downloaded files using a checksum and uses HTTP instead of HTTPS. CERT/CC has issued an official Vulnerability Bote (VU#507496) for both flaws. An attacker can exploit both flaws to execute code in the System Management Mode (SMM) and plant malicious code in the firmware itself. Cylance experts detail a possible attack as follows: Gigabyte BRIX are small computers, similar to Intel NUCs, that can be used to replace bulky desktop towers. They are powerful devices and are very popular with businesses, due to their price, small size, and portability. Source
  20. If you want to know what some ransomware developers think about the USA, you can get a good idea from the ransom note of the Sanctions Ransomware that was released in March. Dubbed Sanctions Ransomware due to the image in the ransom note, the developer makes it fairly obvious how they feel about the USA and their attempts to sanction Russia. Sanctions Ransom Note I was tipped off about this new ransomware after someone was infected and had their files encrypted with the .wallet extension. This extension is typically associated with the Crysis/Dharma ransomware, but according to Michael Gillespie, the creator of ID-Ransomware, the files encrypted by Sanctions do not contain the standard Dharma/Crysis file markers as shown below. Crysis/Dharma File Marker While I have not been able to find a sample of the actual ransomware, I was able to find a copy of the ransom note on ID-Ransomware. This ransom note is called RESTORE_ALL_DATA.html and contains a link to a satoshibox page where the ransomware developer is selling the decryption key for 6 bitcoins. This equates to about $6,500 USD at bitcoin's current rate. Satoshibox Decryption Key Purchase As this is a very large ransom payment and due to the fact that this ransomware is not in wide circulation, it leads me to believe that this ransomware developer may be conducting targeted attacks. Unfortunately, this is all the information we have at this time. At some point we will find a sample and be able to provide more information as we further analyze this ransomware. Source
  21. New Android ransomware discovered A new type of Android ransomware was discovered in the wild. What makes this one particularly scary and noteworthy is the fact that no antivirus program has managed to detect it. Researchers for Zscaler ThreatLabZ discovered the new ransomware in a popular app called "OK," a Russian entertainment social network apps. The legitimate app that's available in the Google Play Store, with somewhere between 50 and 100 million installs is perfectly clean and does not contain any malicious code. It is the alternative found on third party app stores that is dangerous. The ransomware has a few extra features to make you feel safe. For example, after you've installed the app, the malware doesn't act immediately as such tools often do. Instead, it stays silent for four hours, allowing the phone to operate as it regularly does, and even the app will work like it is supposed to. Four hours later, the app prompts users to add a device administrator, allowing the app to change the screen unlock password, monitor screen-unlock attempts, lock the screen and set lock-screen password expiration. Of course, this sounds extremely suspicious so users might very well tap "cancel." Even if this happens, the prompt reappears quickly, preventing the user from taking another action or uninstalling the app. If the user gives in and agrees to give the app admin powers, the ransom note appears on the screen. Attackers demand 500 rubles as payment, which is close to $9,000. "We analyzed the sample further to understand whether the malware actually sends a user's data to a server. We didn't find any personal data leak as claimed by the ransomware and were not surprised when we found that the ransomware is NOT capable of unlocking the user's phone," the researchers note. That means that even if the attacker pays the price, the ransomware will not stop operating and the victim will not be able to regain access to the phone. There is no functionality preset in the malware to confirm whether the user has paid the ransom or not, so it just continues to operate. Stealthiness helps it dodge AV programs until it's too late Researchers have concluded that this malware could end up injected into apps on the official Google Play Store quite easily. Mostly, that's because antivirus programs can't detect it due to the four-hour stealth tactic. If you become infected, paying the ransom is useless since there's no way to get the malware to leave you alone. Instead, boot your device into Safe Mode, which disables third-party apps. Then, you have to remove the device admin privilege of the ransomware app, uninstall the app and reboot your device into normal mode. It's best to not install apps from unknown sources in the future, so you might want to go to the security settings area on your phone and de-select unknown sources from the device administration panel. Source
  22. Android apps spreading ransomware aren't as common as most users and security experts think, says Jason Woloz, Sr. Program Manager for Android Security at Google. The mobile security guru cites internal Google statistics, revealing that since 2015, less than 0.00001% (one in 10,000) app installations from the Google Play Store delivered apps that could be categorized as ransomware. For apps installed from outside the Play Store, which Google can track via Android's built-in Verify Apps service, the number is much higher, as expected, with less than 0.01% (one in 100) app installations. There is no surprise here, as most malware gangs these days use third-party shops to spread malicious apps, as very few have the technical skills to code Android malware capable of evading Google's Bouncer app scanning service. Woloz brazenly says that Android users are more likely to get struck by lightning twice in their lifetime rather than install ransomware on their devices. While mathematically and factually correct, your reporter doesn't agree with statement, mainly because it lowers user awareness levels and trivializes the act of carelessly installing ransomware to a mere accident, when it's not. Google should be telling users to install apps only from the official Play Store and ask them to closely review the permissions they give to apps. Better Android defences led to fewer ransomware infections For its part, Google has worked hard on improving the Android security model, doing whatever it could to reduce the attack surface often exploited by various Android malware strains. Android 7.0 Nougat, released last year, has added a few features that very few Android malware families have managed to bypass. For starters, Google restricted access to Device Admin APIs, so apps won't be able to programmatically change exisiting passwords/PINs. If the user set up a PIN before the installation of a malicious app (ransomware), that app can't change the exisiting PIN, even if it has the proper permissions. Second, Android devs have ported the seccomp Linux sandboxing feature, meaning apps can't take a peek inside other apps, and launch an attack based on predetermined triggers. Third, Google changed how the SYSTEM_ALERT_WINDOW function works, stopping so-called "permission clickjacing" attacks, which happen when a malicious app draws a fake screen over system dialogs (like the ones asking for permissions) and tricks users into giving ransomware or other malware the permissions they need to work. If by any chance you still manage to infect your Android device with ransomware, Google advises booting the device in safe mode and attempting to remove the app, perfoming a factory reset (hard reset), or flashing the device (reinstalling the Android OS). For this last step, it's often recommended that users perform regular backups, so they can restore data they might lose during a reflash. Booting in safe mode or performing factory resets is usually different based on the device model. Instructions for each operation can be found online. Source
  23. Bitdefender 2017 Build 21.0.24.62 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/75587-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.24.62 This version brings the following changes: Changes in the product's structure to protect from "Double-Agent" reported by Cybellum. KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.24.62 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.24.62 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.24.62 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 30 Mar 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 392912632 bytes MD5: 1537688f08598f05d31ab9f235b19825 SHA-1: 0d9301ff5f322e274f5899a91921262f84ad3bac SHA-256: e84449c5e99689eddb29b170d5b7e8cde8ba718c3ce54fb230f84a728b2feeb9 SHA-384: ad46ea34e7dbcb6f323cb3b5d7d713de808d6e8d631849a8b5f0a973907b56fd3c3a6db07f1cfad2a70194f131f5779a SHA-512: ffc4fbc721aeff9f661b2a9900783269069a8ba6fa11066238abf94c1013b8b35d537cf60080fe6329441ba11aa2ac5b0a6a23302c729e02091d082e0ec7e586 bitdefender_ts_21_64b.exe (application/octet-stream) - 434606552 bytes MD5: edfa84262e439dc17cef98e230717287 SHA-1: fd3ad69af01073ad8155b08ec2a64a695be50af9 SHA-256: 3d933d5353a98b9e85bbcb0be26decef25a858583eedab62afac43dae877f84a SHA-384: 382617dce692a3096982ae8f1f35f2d6f8bccaef4e6e6bb27070a443801c5d883866b3f3d8ef7a6c5d9c657f1b16eae6 SHA-512: 536ff2cc7d5f35ae8a43de93d96473892963b02b0735429c904f6c38bf53681c28cec5b42eda7d0bcea79a2481f377bbda63fe250f71d5fb7692ee093564137f Bitdefender 2017 Offline Installation Guide:
  24. Cerber is one of the most common forms of ransomware. Malicious loaders delivered by self-extracting Dropbox files - enabling payloads to bypass detection. One of the most common forms of ransomware is evolving a new technique in order to become even more effective and harder to detect - the ability to evade detection by cybersecurity tools which use machine learning to identify threats. Rather than relying on specifically identified signatures of known threats, some cybersecurity defences employ machine learning in an effort to detect previously unknown malware and the methods used to deliver them to unsuspecting victims. The Cerber family of ransomware is already one of the most successful variants of file-encrypting malware, at least partially thanks to its malicious authors spreading it by offering the code to anyone who wants it - for a cut of the ill-gotten profits. Now those behind it are using new tactics in an effort to stay ahead of the game. Identified by Trend Micro, the new Cerber variant is - like most ransomware - delivered by a malicious phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox controlled by the attackers which downloads and self-extracts the Cerber payload. However, in order to evade detection and monitoring by cybersecurity researchers, this version of Cerber will check to see if its running on a virtual machine, sandbox, or if certain products are running on the machine - and if it stops any of these, it'll stop running. Why? Because it's in the best interests of the criminals behind it that their code doesn't get analysed. It's because of this that the actors behind Cerber have gone to the trouble of repackaging the delivery method and loader in order to get around cybersecurity products which can detect malicious files based on features instead of signatures. But by deploying a self-extracting mechanism, it's possible for the file to not look malicious, even to machine learning tools, something which Trend Micro cybersecurity researchers say is specifically designed in this way. "Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either," says the blog post about the Cerber update. Ultimately, when a new way to detect malware arrives, cybercriminals do all they can to get around it so they can continue to deliver payloads. The best way to ensure networks are protected against sophisitcated threats, says Trend Micro is not to rely on just one single layer of defence."Threats will always try to get around the latest solutions, and users should avoid relying on any single approach to security. A proactive, multilayered approach to security is more effective-- from the gateway, endpoints, networks, and servers," they advise. The researchers also provided a list of Dropbox URLs to the cloud storage provider's security team - the links are no longer active and Dropbox has banned the accounts involved. Source
  25. Bitdefender 2017 Build 21.0.24.54 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: Yet to be Updated KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.24.54 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.24.54 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.24.54 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 10 Mar 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 391676120 bytes MD5: a66d418e7b88e99e16a6e0e4d6b39344 SHA-1: 7c0fc6a890d533a2ca1280afe748458d5fc409f1 SHA-256: 2b7b052f3f94f6172176d53c2d1ec58ab5f82d0170bbb722ff407f34860d8c3a SHA-384: 79cc8deb7b4756bfe37e692bcc44a3721a0391dac0e51146ff201c6bfa1b23ed649d5a6fd7849b65a9f2c04b4ec2b517 SHA-512: 06acde22d638d1effeda481c4808839fcc629bef6db71ee6f9ae2da1370e89fc895e1b31f7251f07b3e09ee1e4ae320494fff82d3b221baaea1fd95664aa59a1 bitdefender_ts_21_64b.exe (application/octet-stream) - 433246512 bytes MD5: 9591493ba9892384737795c8740ef668 SHA-1: 2339248747187c83401865dfd4a8f70783044b23 SHA-256: e3fead4b4b98819ed1ad71de046b6bd91ca3677c2fc5229bf00911727cd20b3e SHA-384: f0cf9c8ea055f1402225be630b25fdf113a1ec556eb102999be0d46d2339cac7fb0fc15780efb2364258e14664a01066 SHA-512: 346e3b2b8d213df5cfd822dae2fc564bf8f40b6d2ac5f72fd9a43efcd7f97da93f65bbebafad55c559d4d6bdd88e012d466317842739e90006cff6a85008cecd Bitdefender 2017 Offline Installation Guide: