Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'ransomware'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 219 results

  1. The “Patcher” malware downloads itself with fake Adobe Premiere Pro and Microsoft Office for Mac installer. Cybercriminals prefer crypto-ransomware as it not only successfully targets Windows desktop but also those devices that run on MacOS or Linux. Now, according to ESET researchers, there is a new ransomware malware called “Patcher” targeting Mac users. The new ransomware is written in Swift and is called Patcher; it is being distributed through BitTorrent distribution sites. The Torrent has just one ZIP file, which is actually an application pack with bundle identifier NULL.prova. ESET researchers identified two fake application Patchers one of which is for Adobe Premiere Pro and the other is for Mac system’s Microsoft Office. The app has been coded poorly and research suggests that the window contains transparent background that is certainly quite confusing as once it is closed it becomes too difficult to reopen it. < Image > When the victim clicks on the Start button, the encryption process begins and a file called README!.txt is copied everywhere around the directories of the system including Documents and Photos directories. The ransomware then creates a random 25-character string, which serves as a key for completing the file encryption process. This key is then applied to all the existing files. The files are then numbered with the fine command line tool. The purpose of the ZIP tool is to store the file in an encrypted library. Afterward, the real file is deleted with rm and the time of the encrypted file is modified to midnight, Feb 13th, 2010 using the touch command. Now the same process that was carried out for the directory is used for all the external and network storage folders present in /Volumes. After completion of file encryption, a code helps the attacker to null all the available free space on the root partition using diskutil. It is worth noting that the malware has a wrong path for diskutil i.e, for macOS it is /usr/sbin/diskutil while the malware tries to execute /usr/bin/diskutil. The victim receives the instruction from the README!.txt file, which is hard coded within the Filecoder. It actually represents the Bitcoin address and email address remains the same for every victim and both the samples utilize the same message and contact details. Please note that there hasn’t been any transaction related to the Bitcoin wallet, which hints at the fact that as of now the campaign designers haven’t been able to earn anything from this ransomware. The problem with this campaign, as per the researchers, is that the ransomware does not have any specific code with which it could communicate with the C&C server. Therefore, there is literally no way to decrypt the files since the encryption key was never sent to the attackers in the first place. Furthermore, the ZIP password is generated by arc4random_uniform, which is believed to be a secure random number generator. So, victims have no other choice but to pay the ransom to get the files back. So far, the attackers have targeted Chinese-speaking victims. What led to this conclusion is the fact that the ransom note is written in Mandarin and the instructions say that the attackers can be contacted through QQ instant messaging service for payment of ransom and unlocking of code. However, since the target computer is locked up, the victims have to contact the attackers from another machine/device. Ref: < https://www.hackread.com/crypto-ransomware-targets-mac-os-system/
  2. Jesus Vigo went hands-on with RansomFree to see if it could outmaneuver ransomware threats and keep data safe. Here's a look at what he discovered. Ransomware made a huge splash in 2016. There's no denying the motivation here: Money—as in virtually untraceable, digital cryptocurrency—has made this segment of the security realm nearly unstoppable. And if it continues to grow as projected, its reach will extend to more and more users, bringing in tens of millions of dollars for threat actors wishing to cash in on the epidemic. So what does this mean for your data if it's something that can't be stopped? Well, many of the best practices still apply. For instance, making sure you're up to date on system and application patches, rolling out modern antivirus with malware protection that is both updated and that actively runs in the background, and performing multiple scheduled backups are good computing habits. Of course, staying clear of questionable websites and not clicking on links or attachments sent to you via email, social media, or just about anywhere are excellent safety guidelines to practice too. But even with all that, you're still susceptible to data compromise. So what's next? Well, next might be RansomFree. This proactive ransomware detection application watches your computer for files being accessed and monitors their interaction closely to determine whether encryption is taking place. Using behavioral detection techniques, if RansomFree determines the behavior being displayed to be ransomware, it immediately halts the process and flags it, creating an alert onscreen. At that point, the user must authorize the process before it will proceed, according to RansomFree's developer. But should we just take their word for it? I didn't! I set out to test it first-hand to determine whether the application works as advertised. I purposely infected my Windows-based computer with a strain of ransomware to assess RansomFree's real-life capabilities... and the results documented are nothing less than impressive. First, a warning. DO NOT INFECT YOUR COMPUTER WITH RANSOMWARE! For the purposes of this test, I created a virtual machine (VM) sandbox environment with a clean copy of Windows and Office. This VM was isolated from other computers on the network, as well. Furthermore, no patches or updates were made to the VM nor was it running any type of malware protection whatsoever. Seeing how the ransomware operates Since I have experience cleaning up the devastation left behind by malware—but not with infecting a machine on purpose—I decided to run this test twice after taking a snapshot of the VM as a point-in-time prior to the introduction of malicious code. The first time through, I would do so without RansomFree to see how the ransomware would operate on the system. Once it was confirmed to have worked, I would rerun the test with RansomFree installed to gauge how effective it was against this strain of ransomware, since now I'd have a good idea of what to look for ... Please read the rest of article with images at: Ref: < http://www.techrepublic.com/article/i-infected-my-computer-with-ransomware-to-test-ransomfrees-protection-for-windows/ >
  3. In a rather worrying new report coming from Kaspersky Lab, it was revealed that in last year's fourth quarter, about a fifth of all spam emails carried ransomware with them. While this is reason enough for everyone to worry and triple check any incoming email, it's not exactly a surprise given the skyrocketing popularity of ransomware among hackers. According to Kaspersky's Spam and phishing in 2016 report, the volume of spam emails in 2016 rose to over 58% of overall email traffic, which is over 3% more than in 2015. As per usual, the US remained the biggest source of spam with 12% of it coming from computers across the 50 states. Second place is occupied by Vietnam, with 10.3%, while the third spot goes to India with 10.15%. When it comes to the countries that are most targeted by malicious emails, Germany takes the lead with little over 14%. The second spot goes to Japan with nearly 7.6% and China with 7.3%. As mentioned before, phishing attacks, in particular ransomware infections have grown quite a bit in the financial sector and across other businesses, places where attackers could make a little bit more money. Kaspersky notes that in 2016 the average proportion of phishing attacks against customers of financial institutions was over 47%, up from the 34% of the previous year. "In 2016, fraudulent spam exploited the theme of major sporting events: the European Football Championship, the Olympic Games in Brazil, as well as the upcoming World Cups in 2018 and 2022. Typically, spammers send out fake notifications of lottery wins linked to one of these events. The content of the fake messages wasn’t exactly very original: the lottery was supposedly held by an official organization and the recipient’s address was randomly selected from millions of other addresses. To get their prize, the recipient had to reply to the email and provide some personal information," the report reads, indicating just some of the techniques used by attackers. Another topic exploited in spam mailings was terrorism. Numerous Nigerian letters were sent to users on behalf of state organization employees and individuals, detailing various stories. The purpose was always the same, however, promising large sums of money to make them join the conversation. Most popular ransomware The most popular were mass spam mailings sent out to infect user computers with the Locky encryptor, but other ransomware such as Petya, Cryakl and Shade were also quite widespread. In total, in 2016, the anti-phishing system on computers running Kaspersky Lab was triggered nearly 240 million times, four times more frequently than the year before. This whole report is just a great reminder to never click on emails from people you don't know, and even when we receive emails from someone you do know to be wary of downloading any files unless you can confirm the sender is who they say they are and it's not a spoofed address instead. Ref: < http://news.softpedia.com/news/a-fifth-of-spam-emails-sent-in-2016-distributed-ransomware-513187.shtml >
  4. Cerber Ransomware Switches To .CERBER3 Extension For Encrypted Files A new version of the Cerber Ransomware has been discovered by AVG security researcher Jakub Kroustek that switches from the .CERBER2 extension to .CERBER3 for encrypted files. When I tested this new sample, there was some minor outward differences between this version and the previous version. The most notable difference is that this new version will now append the .CERBER3 extension to encrypted files. This is shown in the sample pictures folder shown below. Encrypted Files Another notable difference is that this version has changed the ransom note names to # HELP DECRYPT #.html, # HELP DECRYPT #.txt, and # HELP DECRYPT #.url. The previous Cerber version had also sent UDP packets to the range of IP addresses. This version appears to be using the range for statistical purposes. As this version is further analyzed, more information may become available. When this happens, I will be sure to update this article. Source
  5. Cyber criminals are now turning to ransomware more than ever Everyone knows Russian hackers are extremely busy people, but knowing that about 75% of all ransomware is made by Russian-speaking cyber criminals is still surprising. According to senior malware analyst at Kaspersky Lab, Anton Ivanov, out of the 62 crypto ransomware families discovered by the company's researchers in the past year, 47 of them were developed by Russian or Russian-speaking people. "This conclusion is based on our observation of underground forums, command and control infrastructure, and other artefacts which can be found on the web. It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin, but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries," Kaspersky's analysis reads. Kaspersky data shows that all ransomware families attacked more than 1.4 million people around the globe in 2016, which is a massive number of people who have either paid up to get their data back or said goodbye to their files altogether. And, keep in mind, 75% of those ransomware variants used for these attacks were made by Russian-speakers. Of course, there are ways to bypass ransomware, from free decryption tools for certain variants to initiatives such as No More Ransom which will offer free help to those seeking to get rid of the spies on their devices. The new old tool of cyber criminals - ransomware Analyzing the attack stats for 2016, Kaspersky further noticed that a regular user was attacked with encryption ransomware on average every 10 seconds, while organizations were hit about every 40 seconds. The frequency of attack has grown considerably over the past few years, and we're even noticing spikes throughout the year. Ransomware is by no means a new type of malware out into the wild; it's been around for over a decade. Hackers are now discovering, however, just how much more profitable it can be to use this type of attacks. Ref: < http://news.softpedia.com/news/three-quarters-of-all-ransomware-signed-by-russian-speakers-513050.shtml >
  6. The network security firm said ransomware was the payload of choice for malicious email campaigns and exploit kits in 2016, with Locky claiming the title as the most popular payload globally Ransomware attacks on businesses large and small reached 638 million last year, up from 2015's 3.8 million, network security firm SonicWall has reported. In its 2017 Annual Threat Report, SonicWall said the rise of ransomware in 2016 was unlike anything it had seen in recent years, noting that the 634.2 million instance increase was "meteoric" in nature. "By the end of the first quarter [of 2016], $209 million in ransom had been paid by companies, and by mid-2016, almost half of organisations reported being targeted by a ransomware attack in the prior 12 months," the report said. The ransomware growth was an upward climb throughout the year, SonicWall said, and expected the increase to continue into 2017. The first major spike in ransomware was experienced in March 2016, when attack attempts shot up from 282,000 to 30 million over the course of the month, for a first-quarter total of 30.9 million hits. The report shows the upward trend continued throughout the year, with the fourth quarter closing at 266.5 million ransomware attack attempts. SonicWall attributed the growth of ransomware to easier access in the underground market, which it said was supported by the low cost of conducting a ransomware attack, the ease of spreading it, and the low risk of being caught or punished. "The rise of ransomware-as-a-service (RaaS) made ransomware significantly easier to obtain and deploy," the report said. "Individuals who wanted to profit from ransomware didn't need to be expert coders, they simply needed to download and deploy a malware kit." Typically, RaaS providers offer their malware for free, while SonicWall explained that others charged a flat rate of typically $100. According to SonicWall, another factor driving ransomware was the mass adoption of bitcoin, noting that before the cryptocurrency existed, payments were able to be tracked. Industry verticals were targeted almost equally, SonicWall said, with the mechanical and industrial engineering industry reaping 15 percent of average ransomware hits, followed by a tie between pharmaceuticals and financial services at 13 percent, and real estate claiming 12 percent of the total ransomware hits. Geographically speaking, the report highlighted that companies in the United Kingdom were three times as likely as United States-based ones, despite the US experiencing the highest number of ransomware attacks in 2016. China was flagged as least likely to be targeted, with SonicWall attributing this to the country's restricted access to bitcoin and low usage of Tor. While SonicWall said many victims of ransomware chose not to publicise the attacks, it highlighted several breaches that received attention. The San Francisco Municipal Transit Authority had to open its fare gates in November when a ransomware attack took down its payment and email systems, demanding 100 bitcoins -- the equivalent of $73,000 at the time. Similarly, Hollywood Presbyterian Medical Center in Los Angeles admitted to paying $17,000 in bitcoin to regain access to its data in February 2016; the Lansing Board of Water & Light revealed it had paid ransomware attackers $25,000 in April; and in September, hosted desktop and cloud provider VESK handed over approximately $22,800 in bitcoins as a result of a ransomware attack. "Each of these organisations, and the countless others who were hit with ransomware, faced an urgent and terrifying decision: Whether or not to pay the ransom," the report said. "Those who opted to pay were sometimes able to negotiate a lower ransom to regain access to their systems." Despite paying a ransom, SonicWall explained that in some instances, paying the ransom did not guarantee access to data, as was the case with the Kansas Heart Hospital that was attacked in May 2016. According to the security firm, only 42 percent of victims were able to fully recover their data from a backup. The most popular payload for malicious email campaigns in 2016 was the Locky ransomware, SonicWall said, which was utilised in more than 500 million total attacks throughout the year, compared with second placed Petya, which was only used in 32 million attacks. Locky was most commonly delivered via email as a Microsoft Word document attachment under the guise of an invoice from a vendor requiring payment. When the attachment is opened, the end user would be instructed to enable macros, which would set off a chain reaction leading to the encryption of the user's files and the service of a ransom demand. Locky evolved to become the most notorious ransomware threat during 2016, security vendor Forcepoint also noted, and the second-most common malware threat by November. Although Locky experienced a lull over Christmas, security experts have said it shows no signs of slowing down, with instances of Locky once again on the up. SonicWall officially spun out of Dell Technologies as an independent company in November, with private equity firm Francisco Partners and hedge fund Elliott Management completing the $2 billion acquisition of the technology giant's software arm. By Asha McLean http://www.zdnet.com/article/sonicwall-reports-638-million-instances-of-ransomware-in-2016/
  7. Microsoft’s New Windows 10 Version Is Malware, Epic CEO Says Tim Sweeney can’t stop his rant against Windows 10 Cloud In a series of tweets, Sweeney calls Windows 10 Cloud “ransomware,” a form of malware that compromises computers by locking down files and asking for a ransom to restore access. “Windows Cloud is ransomware: It locks out Windows software you previously bought and makes you pay to unlock it by upgrading to Windows Pro,” he said in a tweet dated February 7. “Firefox blocked. Google Chrome blocked. Google search blocked as web browser search option. OpenGL, Vulcan, OpenVR, Oculus VR blocked,” he continued. “Microsoft is making a huge move against the whole PC ecosystem: @Adobe, @Autodesk, #Valve, @EA, @Activision, @Google, @Mozilla. All blocked. Windows Cloud will steal your Steam PC game library and ransom it back to you...for a price.” The Windows 10 Cloud story So is this thing true? Not at all, and it all starts with the purpose of Windows 10 Cloud, which by the way, is not yet confirmed and we don’t even know if everything we heard about it is true. First and foremost, Windows 10 Cloud appears to be a version of the Windows 10 operating system that exclusively focuses on Store apps, just like Windows RT did when it was launched in 2012 with the Surface RT. There is a good chance that Windows 10 Cloud would be offered to OEMs completely free to install it on their devices, and this contributes to lower prices when these models hits the shelves. Microsoft is expected to offer a built-in upgrade option that would allow Windows 10 Cloud users to switch to Windows 10 Pro, and thus get Win32 app support, should they pay for a license. This is pretty much what Sweeney is criticizing, claiming that once users pay for the upgrade, they get access to Win32 apps (this is also most likely the reason he calls Windows 10 Cloud “ransomware”). And yet, this is by no means ransomware, but only a way to bring cheaper devices to the market and boost adoption of UWP apps. The Epic CEO, however, is also criticizing Microsoft’s aggressive push for universal apps, claiming that the company is actually trying to destroy the Win32 ecosystem by forcing users to switch to Store apps entirely. Windows Cloud is ransomware: It locks out Windows software you previously bought and makes you pay to unlock it by upgrading to Windows Pro. — Tim Sweeney (@TimSweeneyEpic) February 7, 2017 Source
  8. Avast Releases Three New Decryption Tools to Fight Ransomware There are now 14 anti-ransomware tools available from Avast “In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples two-folded, but the good news is that hundreds of millions of Avast and AVG users were protected against this popular threat,” reads a blog post signed by Jakub Kroustek, reverse engineer and malware analyst at Avast. The three new decryption tools address three different ransomware strains – HiddenTear, Jigsaw and Stampado/Philadelphia. Some solutions for these particular strains are already available, coming from other security researchers. Avast decided, however, that it is always best to have multiple options. That’s because these three strains are particularly active and frequently encountered, especially in the past few months. Since the used encryption keys update often, so must the decryption tools. In the end, whether it’s Avast’s tools or those made by other security researchers that work against the ransomware, it’s all for the same purpose. “Last but not least, we were able to significantly speed-up the decryption time, more precisely the password brute-force process, so e.g. some of the HiddenTear variants will be decrypted within minutes instead of days. The best results are achieved when decrypting files directly from the infected machine,” Kroustek writes. Decrypting HiddenTear HiddenTear has been around for a while and the code is actually hosted on GitHub. Given the fact that it is so present, many hackers have gone and tweaked the code and starting using it. Encrypted files have a wide range of extensions: .locked, .34xxx, .bloccato, .BUGSECCCC, .Hollycrypt, .lock, .saeid, .unlockit, .razy, .mecpt, .monstro, .lok, .암호화됨, .8lock8, .fucked, .flyper, .kratos, .krypted, .CAZZO, .doomed. and more. After all the files are encrypted, a text file will appear on the user’s desktop. Decrypting Jigsaw Jigsaw was first spotted in the wild in March 2016, and many of its strains use the picture of the Jigsaw Killer from the same-name movie in the ransom screen. Files encrypted after the computer was infected with Jigsaw have Encrypted files will have one of the following extensions: .kkk, .btc, .gws, .J, .encrypted, .porno, .payransom, .pornoransom, .epic, .xyz, .versiegelt, .encrypted, .payb, .pays, .payms, .paymds, .paymts, .paymst, .payrms, .payrmts, .paymrts, .paybtcs, .fun, .hush. Keeping up with the movie script, the malware will delete a file per hour if you don’t pay up. Decrypting Stampado This particular ransomware has been around since August 2016, and it’s being sold on the dark web. Multiple versions have been circulating on the Internet, one of them is called Philadelphia. Most often than not, Stampado adds the .locked extension to the encrypted files. Stampado will delete a new file every 6 hours unless you pay the ransom. Check out Avast’s list of anti-ransomware tools and see if you can find one to help you out. Source
  9. Cockrell Hill, Texas has a population of just over 4,000 souls and a police force that managed to lose eight years of evidence when a departmental server was compromised by ransomware. In a public statement, the department said the malware had been introduced to the department's systems through email. Specifically, it arrived "from a cloned email address imitating a department issued email address" and after taking root, requested 4 Bitcoin in ransom, worth about $3,600 today, or "nearly $4,000" as the department put it. It was at this point that the cops' backup procedures were tested and found to have failed to account for the mischief. When recovery was attempted, they realised they had only managed to back up the encrypted files. The cops then spoke to the FBI "and upon consultation with them it was determined there were no guarantees that the decryption file would actually be provided, therefore the decision was made to not go forward with the Bitcoin transfer and to simply isolate and wipe the virus from the servers". Guarantee or not, the criminals operating ransomware schemes often do indeed decrypt the hijacked files if victims pay up. This is simple economics: if the criminal has a reputation for receiving money without decrypting the files, then their victims will be discouraged from paying up, and this is all about the money. The ransomware is described as having "affected all Microsoft Office Suite documents, such as Word documents and Excel files. In addition, all body camera video, some in-car video, some in-house surveillance video, and some photographs that were stored on the server were corrupted and were lost." While the police state that the malware "was determined to be an 'OSIRIS' virus" no such virus actually exists. Instead, the police seem to have been confused by a new extension being used by the Locky ransomware, which renames the files it encrypts and gives them a .osiris extension. According to news channel WFAA, which broke the story, the department initially discovered the infection back in December, but had not gone public with the information. Instead, the news began to emerge "when the department began alerting defense attorneys that video evidence in some of their criminal cases no longer exists". Stephen Barlag, Cockrell Hill's police chief, said of the encrypted docs: "None of this was critical information." WFAA quoted J Collin Beggs, a criminal defence lawyer in Dallas, who said: "That depends on what side of the jail cell you're sitting," referencing a client of his, charged in a Cockrell Hill case involving some of the lost video evidence. Beggs bemoaned the loss of the video evidence, stating it was significant to his client and to others that the department has charged. "It makes it incredibly difficult if not impossible to confirm what's written in police reports if there's no video," Beggs said. "The playing field is already tilted in their favor enormously and this tilts it even more." Beggs said he has asked the FBI for proof that the computer virus incident happened. An FBI spokeswoman on Wednesday told News 8 that the bureau does not "confirm or deny the existence of an investigation." Chief Barlag contacted The Register shortly after the publication of this article to let us know: "We have been or will be able to recover most if not all of our digital evidence. I am not aware of any criminal cases that will be dropped as a result of this virus." ® Updated to add Stephen Barlag, chief of Cockrell Hill police, has been in touch to say: "We have been or will be able to recover most if not all of our digital evidence. I am not aware of any criminal cases that will be dropped as a result of this virus." Source
  10. Hotel guests at a luxury resort in Austria were locked out of their rooms after it was targeted with ransomware by hackers, who broke into the organisation's electronic key system and disabled the electronic locking. And the hotel is one of just dozens in the area that have been targeted in this way, according to its managing director. The latest attack coincided with the opening weekend of the winter season when the hotel was fully booked, and forced the Romantik Seehotel Jaegerwirt resort in Austria to pay up the ransom of €1,500 in bitcoin in order to allow guests to return to their rooms, as well as restoring access to parts of the hotel that were also locked as a result. Fortunately, a standard safety feature of the automated system meant that guests could leave their rooms, although they would've been unable to get back in while the systems were down. Managing Director Christoph Brandstaetter told The Local: "The house was totally booked with 180 guests, we had no other choice. Neither police nor insurance help you in this case." However, it was the third time that the hotel has been targeted in this way, prompting Brandstaetter to finally conduct a clean sweep of the organisation's IT - finding a backdoor that the attackers had used in order to return and demand more money. "The restoration of our system after the first attack in summer has cost us several thousand Euros. We did not get any money from the insurance so far because none of those to blame could be found," he continued. A fourth attempt, according to Brandstaetter, was foiled because of the IT security upgrades the organisation took following the third successful attack. And to make sure it never happens again, when the hotel undergoes its next refurbishment Brandstaetter is planning to change the locks - to "old-fashioned door locks with real keys". Source
  11. A ransomware family named Netix (RANSOM_NETIX.A) is targeting users who use special applications to access hacked Netflix accounts, locking their files and demanding a ransom payment of $100. First discovered by Karsten Hahn of G Data and analyzed by the Trend Micro team, this ransomware is spread via an application named "Netflix Login Generator v1.1.exe," which when executed appears to provide the user with a Netflix username and password. Netflix Login Generator v1.1.exe app (via Trend Micro) These username and password combos never work, as the ransomware authors are just buying time to let the ransomware contained within the app perform its encryption. According to researchers, the ransomware targets only 39 file types, which is less than most other ransomware families, and it only goes after the files located in the user's "C:\Users" folder alone, and not the entire hard drive. The following file types are targeted for encryption: .ai, .asp, .aspx, .avi, .bmp, .csv, .doc, .docx, .epub, .flp, .flv, .gif, .html, .itdb, .itl, .jpg, .m4a, .mdb, .mkv, .mp3, .mp4, .mpeg, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .py, .rar, .sql, .txt, .wma, .wmv, .xls, .xlsx, .xml, .zip Under the hood, when the user executes "Netflix Login Generator v1.1.exe," the file extracts and drops another file named "netprotocol.exe" on the user's machine, which it executes immediately. This file is the actual Netix ransomware, which starts encrypting files with the AES-256 encryption algorithm, but only if the user's computer is running Windows 7 and Windows 10. After the encryption process ends, the ransomware contacts an online server, where it sends the infection ID and other details, but from where it also downloads the ransom notes it displays on the user's machine. The ransom notes are in the form of an image displayed as the user's desktop wallpaper, and a text file dropped on his PC. Netix desktop wallpaper (via Trend Micro) Netix ransom note (via Trend Micro) The ransomware asks for $100 as payment in the Bitcoin digital currency and invites users to visit a website in order to pay the ransom and receive their decryption key. Users can recognize Netix infections because the ransomware appends the .se extension at the end of all locked files. Is it worth it? "Does getting your important files encrypted worth the piracy?" the Trend Micro team asks. The answer is obviously no. Compared to past years, Netflix is now available in over 190 countries, and a monthly subscription costs between $9 and $15, depending on your country. Paying the $100 ransom to recover files locked by this threat is not a guarantee that users will get access back to their files neither, as many ransomware families come with bugs that make a recovery impossible in some cases. Nowadays, crooks have understood that pirated apps are the easiest way to spread their payloads. You can be almost certain that any pirated app downloaded from torrent portals contains at least some sort of adware or infostealer, if not worse. Article source
  12. Yesterday, Brad Duncan, a Threat Intelligence Analyst for Palo Alto Networks Unit 42, wrote a blog article discussing how the EITest Chrome Font Update campaign is now distributing the Spora Ransomware. Previously, ProofPoint researcher Kafeine discovered this attack chain distributing the Fleercivet Ad Clicking Trojan, but with the popularity and successful revenue generation of ransomware, it is not surprising to see malware distributors testing this type of infection as well. As Spora diverges from most ransomware with the offering of a menu of different payment options, this could allow for a greater volume of payments compared to ransomware that only use a single large ransom option. As I am concerned that many people will be tricked by this attack and become infected with Spora, I wanted to provide a description as to how this attack works so people can recognize and avoid it. How the Chrome Font Pack Update Attack Works In order to protect yourself from the current EITest Chrome Font Update attack, it is necessary to understand how the attack works. In order to implement this attack chain, the EITest actors first hack legitimate web sites and add javascript code to the end of the page. This code will cause the page to look like gibberish and then display a popup alert stating that Chrome needs a "Chrome Font Pack" in order to see the page properly again. An example of how this code looks in the source can be seen below. Injected Javascript Source: malware-traffic-analysis.net When a visitor goes to this page, the script will scramble the text of the page so its not readable and then display a pop-up alert that states the page is not displaying properly because the "HoeflerText" font is missing. It then prompts you to click on the Update button in order to download the "Chrome Font Pack" as seen below. Fake Google Font Pack Prompt Source: malware-traffic-analysis.net When a user clicks on the Update button, the popup will automatically download a file called Update.exe and save it to the default download folder. The criminals will then show you a "helpful" screen that tells you how you can find and execute the program. Instructions on how to Execute the Update.Exe Program Source: malware-traffic-analysis.net The good news is this downloaded program is not automatically started and a victim must manually execute the program to become infected. The EITest gang are hoping that by pretending it is a Google Font for Chrome, they can trick people into actually running the file. Once a victim actually double-clicks and executes the file, the crap hits the fan and the computer becomes infected. In the previous Chrome Pack campaign, the Update.exe was called Chrome_Font.exe and would install the Ad Clicking Trojan called Fleercivet. In this round, EITest has changed the filename to Update.exe, which is actually the installer for the Spora Ransomware. Once this executable is launched, Spora will begin to encrypt a victim's data and most data files will become encrypted and unusable. When finished encrypting a victim's files, Spora will display a ransom note similar to this one, where a victim can login to the Spora payment site and determine the ransom amount or make payments. Spora Ransom Note Unfortunately, at this time there is no way to decrypt the files encrypted by Spora Ransomware for free. For those who need help with this infection or just want to discuss it, you can use the dedicated Spora Ransomware Support and Help Topic. What everyone should take away from this is that if you see a popup on a page stating that you need to download a Chrome Font Pack, you should immediately close the browser and not visit the site again. An alert like this is just an indication that something is not right with the site and it should be avoided. Sample of Update.exe: https://www.virustotal.com/en/file/d5a1c143b07475b367d2e12ff72fe5a3ec59c42fa11ae2d3eb2d4e76442e60b3/analysis/ Article source
  13. In this week’s Tales From Ransomware, we take a look at a ransomware that isn’t really ransomware. Nor even malware. But it can hijack your server anyway. A few days ago we saw a typical Remote Desktop Protocol (RDP) attack, which lead us to believe that it was a similar attack to the one we told you about a few months ago which cybercriminals are using to infect devices with ransomware. But we were very wrong. First of all because instead of encrypting data, it locks the desktop with a password that the victim doesn’t know. Secondly, it does not demand a ransom (!) in exchange for the credential, but rather seeks to keep the device locked for as long as possible so that it can be used for bitcoin mining for as long as possible. And thirdly, it doesn’t use malware as such. Once they’ve gained access to your machine by brute force (this particular server was fielding 900 attempts daily) the attacker copies a file called BySH01.zip. This in turn contains: BySH01.exe (executable through AutoIt) 7za.exe (goodware, the well-known free tool 7zip) tcping.exe (goodware, a tool for performing TCP pings) MW_C.7z (a compressed password-protected file), which contains: An application –goodware for bitcoin mining An application –goodware for blocking the Windows desktop The attacker runs the BySH01.exe file, and the following interface appears: Кошелек – Wallet; Имя воркера – User Name; Количество ядер – Number of cores; Пароль – Password; Локация – Location; Пусть установки – Installation path; Расширения системы – Processor Extension; Порт – Port; Добавить в автозагрузку – Add to startup; Установить – Install; Удалить – Delete; Тест – Test; Пинг – Ping; Локер – Locker With the help of our colleagues at Panda Russia, those of us who don’t know Russian can get an approximate idea of what its telling us with the above word list. Basically, the bitcoin mining application uses this interface to configure how many cores to use, what extension of processor instructions to use, what “wallet” to send the bitcoins to, etc. Once the desired configuration is selected, the attacker clicks on Установить to install and run the bitcoins mining application. The application is called CryptoNight, which was designed for mining bitcoins using CPUs. Then they click on Локер, which installs and runs the desktop lock application. It is the commercial application Desktop Lock Express 2, modified only so that the information shown in the properties of the file are the same as those of the system file svchost.exe. Finally it clears all the files used in the attack except CryptoNight and Desktop Lock Express 2. Desktop Lock Express 2, the application used by the attackers. We detected and blocked several attacks in different countries. Examples such as this one show how, once again, cybercriminals take advantage of weak passwords that can be guessed using the brute force method over a given period of time. Malware is no longer necessary to gain access to the system, so it’s up to you to use a robust password that will keep out unwanted visitors. Tips for the System Admin In addition to using a solution like Adaptive Defense, which detects and prevents this kind of attack, a couple of tidbits of advice for all administrators who have to have an open RDP: Configure it to use a non-standard port. What 99.99% of cybercriminals do is track all Internet on TCP and UDP ports 3389. They might bother to track others, but they do not have to, since most do not change these ports. Those who do change ports do so because they are careful about security, which probably means that their credentials are already complex enough to not be gotten by brute force within any reasonable amount of time. Monitor failed RDP connection attempts. Brute force attacks can easily be identified in this way, since they use automated systems and can be seen making a new attempt every few seconds. Article source
  14. Bitdefender 2017 Build Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/74787-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: This version fixes the following issues: Fixed a crash caused by the Update module Fixed a rare crash caused by SafePay Fixed a issue with the Firefox extension signatures Fixed a issue causing the Bitdefender window to shift to the right Fixed a issue causing the Wallet to prompt for the account on the same browser session Fixed a issue where the Agent failed to stop Fixed a issue where the Wallet would display empty lists when scrolling down the menu Fixed a rare crash causing vsserv to crash Fixed a crash caused by SafePay Fixed a crash caused by the Agent Fixed a issue causing the Agent not to deploy properly Fixed a issue where the Custom Scan would not start at the proper time Fixed a issue where the email archives would be purged from the Quarantine Fixed a rare issue causing the Uninstaller to crash Fixed a issue where the Security Report would show the improper period Fixed a issue where the product would revert the default language to English after a repair Fixed a issue where SafePay would not keep the zoom settings from the previous session Fixed a issue causing SafePay to be unable to open PDF files The following improvements were included: The product now complies with the Microsoft DSA requirements Several improvements to the install engine Improved repair process Several improvements to the On-Access engine Product interface fixes and improvements Improved SafePay's functionality Several improvements to the product's self-defense mechanism Improved the way the Support Tool gathers Bitdefender related information Improvements to the Firewall engine Improved Wallet's compatibility with several websites Added support for the polish language Some improvements to the event engine Improved the way the product handles remote tasks (example : system scan from Central) Improved the way the product integrates with the Windows start-up process Some improvements to the Update engine KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 19 Jan 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 386983608 bytes MD5: 0444b93b3942f8f08a3cace4915290b3 SHA-1: d868a81dd02632716216671da19b928bc20fe91c SHA-256: f9f6c543d7e31c3289f43e0e9f85e279c0825a3df66eb7639ba496ba49535189 SHA-384: d5e643be48251de5dd77bb52318b6e1028668161630e51b1d1695864b52c469b3af02ff04e05c4d7ae3c2c89e026b8aa SHA-512: b612ff33eb172ff7ce2978399fc706aa91fee712124ed7a91c17bf52c183a1aeda1901c2558945462271e44261b2e86187b27082fb5b35f4363f4ede78fb5474 bitdefender_ts_21_64b.exe (application/octet-stream) - 428227776 bytes MD5: d9640741f295a8f4830b193108a164f6 SHA-1: 81906a9ade33889f2ccb1c2c0b2e0939ff1fe9ef SHA-256: c225869fd8175ccd8dfa1c9226ed466ec3795c5049dfed5e99e2cfaa871e47f2 SHA-384: 0057846870499ceb5407a81a8ff883c1f46c18afcc911b277b8f68ef02c1dff3f1cba479e9a5b61fe2a033de6c273e02 SHA-512: b0211315a8418fa7115a354db61b50a73d522ef3b6404f7cfd6cf0e7651b987dd9656fe8db9d680ee31f93048f1f5bcd47dccb34f42cf174a9e8a62597b3bc25 Bitdefender 2017 Offline Installation Guide:
  15. Security researcher Michael Gillespie has developed a new Windows app to help victims of ransomware infections. Named CryptoSearch, this tool identifies files encrypted by several types of ransomware families and provides the user with the option to copy or move the files to a new location, in hopes that a decrypter that can recover the locked files will be released in the future. Gillespie developed the app as a recovery and cleaning utility for computers that have been infected by undecryptable ransomware strains. In these cases, it is impossible for PC owners to recover locked files, so the best course of action is to move all the encrypted data to a backup drive and wait until security researchers find a way to break the ransomware's encryption. Gathering all encrypted files is a different story. Ransomware works by encrypting file types, and not folders, so victims usually have encrypted files spread all over their PC, not in a few central locations. This is where CryptoSearch comes to help, by automating this search process, and the movement of these files to a new location. Once this operation finishes and PC owners have a backup of the encrypted data, they can clean up the computer by removing the ransomware's file, or optionally, wiping the hard drive and reinstalling the entire OS. CryptoSearch works together with ID Ransomware Under the hood, CryptoSearch works in tandem with the ID Ransomware service, meaning you have to be online when running the app. According to Gillespie, CryptoSearch will query the ID Ransomware service in order to retrieve data needed to identify the type of ransomware that has locked the user's PC. "This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their signatures," Gillespie wrote today on the Bleeping Computer forums, where he officially launched the app. "When CryptoSearch is first launched, it will contact the website, and pull down the latest information on known extensions and byte patterns," Gillespie added. "It will identify files by known filename pattern or extension, or for some variants, the hex pattern in the encrypted file." CryptoSearch uses this database to search the local file system, identify the ransomware infection, and then find all files locked by that ransomware. Once CryptoSearch has identified all files, the user is prompted via a menu and asked if he wants to move or copy the files, and then asked where to relocate the encrypted data. Gillespie says that CryptoSearch is smart in the way it transfers files, keeping the initial folder structure. For example, files found in "C:\Test\Folder" will be moved to "J:\Backup\C\Test\Folder" CryptoSearch is currently in a beta development stage, meaning more features will arrive in the future. One of the currently requested features is an "offline mode" that will include static copies of the ID Ransomware database so that CryptoSearch could be used on computers not connected to the Internet. Users asked for this feature because it's a standard practice in the case of ransomware infections to isolate computers by taking them offline. There's no timeline for this feature, so you'll have to keep an eye on Gillespie's Twitter feed or the CryptoSearch Bleeping Computer forum topic. CryptoSearch can be downloaded from here. Article source
  16. A new law that took effect in California on January 1, 2017 punishes conviction of distributing ransomware with a prison sentence of up to four years. In the past, ransomware cases were tried under existing extortion statutes. According to the bill's sponsor, California State Senator Bob Hertzberg, "This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware." Source
  17. A new kind of ransomware comes with its own "referrals" program, one that you probably wouldn't want to join. The malware called dubbed "Popcorn Time" locks your Windows computer's files with strong AES-256 encryption, until you a pay a ransom of one bitcoin (or $780 at the time of writing). "We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living," said the ransomware note. Source
  18. Ransomware Attacks To Decrease In 2017 Ransomware is expected to deflate a bit next year, but hackers won’t be resting on their laurels, that’s for sure. Instead, they might just move to dronejacking, for a "variety of criminal or hacktivist purposes". This is according to McAfee Labs, whose new report, the McAfee Labs 2017 Threats Predictions Report, identifies 14 cyber-security trends to watch in 2017. Based on the opinions of 31 Intel Security thought leaders, the report says we can expect a decrease in both volume and effectiveness of ransomware in the second half of 2017. Windows vulnerability exploits will also continue downwards, but infrastructure and virtualization software attacks will increase. So will attacks against hardware and firmware. Attacks against mobile devices will be a combination of mobile device locks and credential theft, allowing attackers access to information such as credit cards. IoT malware could open up backdoors into the connected home -- backdoors which could stay undetected for years. Also, we can expect to see hijackings of drones, or as the report puts it -- Dronejackings. "To change the rules of the game between attackers and defenders, we need to neutralize our adversaries' greatest advantages", says Vincent Weafer, vice president of Intel Security’s McAfee Labs. “As a new defensive technique is developed, its effectiveness increases until attackers are compelled to develop countermeasures to evade it. To overcome the designs of our adversaries, we need to go beyond understanding the threat landscape to changing the defender-attacker dynamics in six key areas: information asymmetry, making attacks more expensive, improving visibility, better identifying exploitation of legitimacy, improving protection for decentralized data, and detecting and protecting in agentless environments". The full report can be found on this link (PDF). Published under license from ITProPortal.com, a Future plc Publication. All rights reserved. Source
  19. Kaspersky Labs has also developed a decryptor tool based on the master keys. ESET security researchers have created and released a free decryption tool to combat Crysis ransomware based on the malware's master decryptor keys that were made public earlier this month. ESET's decryption tool, which joins one developed by Kaspersky Labs, uses information released on Pastebin and first reported by Bleeping Computer. The security firm has detected variants of Crysis appearing in 123 countries since it was released in May 2016 with people in France, Spain and Brazil being victimized most frequently. Cybercriminals use a variety of methods to spread the malware, including spam and infected ads found on social networks. Bleeping Computer founder Lawrence Abrams believes the decryptor master keys posted on Pastebin are possibly from the malware's creator because they contain the C header files. Article source
  20. Microsoft warns internet users for Amazon emails that try to infect computers with ransomware. With Black Friday and Cyber Monday coming up, cybercriminals hope more users are susceptible for opening an attachment coming from a popular online retailer. In this case the malcious emails appear to be from Amazon and state that the order has been sent out. The criminals behind the scam have tried to make the mail look as legitimate as possible and the mail has a .ZIP file attached that ‘contains information about the order’. In reality it contains a Javascript file with obfuscated code that is known a Nemucod, a Trojan downloader that will download the Locky ransomware to the computer that will start to encrypt files on the computer. “We see it every year: social engineering attacks that take advantage of the online shopping activities around Black Friday and Cyber Monday, targeting customers of online retailers”, Duc Nguyen and Wei Li write in a blog on Microsoft’s website. As usual, Microsoft advises to not open emails and especially attachments from unknown addresses. Amazon also has a helpful page that can assist in identifying between a legitimate and fake email from the online retail giant. Article source
  21. Nathan Scott, a malware analyst for Malwarebytes, was able to crack the encryption system used by the Telecrypt ransomware, discovered two weeks ago by researchers from Kaspersky Lab. The peculiar feature that made this threat unique was the ransomware's command and control (C&C) client-server communications channel, for which the operators chose to use the Telegram protocol, instead of HTTP or HTTPS like most ransomware does these days. This made Telecrypt stand out, albeit its threat vector was low, since it only targeted Russian users with its first version, and only bothered showing the ransom note in Russia alone. Telecrypt ransom note (via Kaspersky Lab) You can get the Telecrypt ransomware decryptor created by Malwarebytes from this Box link. Inside it you'll find two files: the decrypter itself and a text file with usage instructions. The decryptor's interface is self-explanatory, but make sure to read the usage instructions first. The decryptor needs to run as the system administrator. In modern Windows versions, you can right-click it and select "Run as Administrator" from the drop-down menu. In older Windows versions you need to right-click the file, choose Properties, then the Compatibility tab, and select the "Run This Program As An Administrator" option. Telecrypt Decryptor To run the Telecrypt decryptor, victims need a good and an encrypted version of the same file, so the decryptor can determine the ransomware's encryption key. You can find unencrypted versions of your files in email accounts, file syncing services (Dropbox, Box), or from older system backups if you made any. After the decryptor finds the encryption key, it will then present the user with the option to decrypt a list of all encrypted files, or from one specific folder. Telecrypt keeps a list of all encrypted files at "%USERPROFILE%\Desktop\База зашифр файлов.txt" Scott is the second Malwarebytes employee that cracked a ransomware in the past two days after Hazherezade released a decryptor for the Princess Locker ransomware yesterday. Article source
  22. Proofpoint researchers spotted a ransomware dubbed Ransoc that uses bold tactics to target and extort pedophiles and torrent users. While anyone with an unsecured machine may be infected, Ransoc scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information, including strings associated with child pornography in an attempt to gain more leverage on the victims who may have child pornography or other illegal files, according to a Nov 14 blog post. The ransomware is spread via malvertising primarily fed by the Plugrush and Traffic Shop traffic exchanges on adult websites and looks to infect Internet Explorer on Windows and Safari on OS X. Once a user is infected the malware uses a screen locker displaying information from the victim's social media and may display a customized “Penalty Notice” if the malware believes it has spotted illegal files on a user's device. The notice also threatens to take the victim to trial and to publicly release all of the files collected by the ransomware if the victim doesn't pay. Researchers noted in the blog that the ransomware is targeting the victim's reputation rather than their files. The malware also attempts to encourage payment by telling users their ransom will be refunded if the victim isn't caught again within 180 days. The collection method also displayed the confidence level that the malware's authors have as it request credit card information which is easier for authorities to trace than Bitcoin or other crypto currencies. Researchers said in the post that this implies the attackers are confident victims would rather pay the ransom. “This ransomware is unique in how it functions and the sorts of information it collects,” Proofpoint's Threat Operations Center Vice President Kevin Epstein told SC Media via emailed comments. “It's blackmail-ware rather than hostage-ware.” Source
  23. A new spam wave posing as emailed fax messages is delivering a malware downloader that fetches and installs a ransomware family known as PClock, a CryptoLocker clone. The ransomware, detected by Microsoft as Ransom:Win32/WinPlock.B or WinPlock, is more commonly referred to under the name of PClock and has been going around since January 2015, when users first complained about it on the Bleeping Computer forums. Emsisoft security researcher Fabian Wosar was able to create a decrypter for the earlier versions that allowed users to unlock their files for free. By May 2015, the PClock team updated their code and broke the decrypter. After that point, PClock victims could only restore their files from backup files or by paying the ransom. PClock resurfaces with new spam wave Since then, the number of infections with PClock has been low but steady. Microsoft's security team recently picked up a spike in activity from the group's operators. In their most recent spam campaign, the ransomware's creators are using emails disguised as fax messages, using a subject such as "PLEASE READ YOUR FAX T6931." The title is boring and mundane, but the email contains a file named "Criminal case against you," which might get some users' attention. PClock installed via Crimace trojan This RAR archive contains a WSF file. When users download and open the archive, and execute the WSF file, a JScript function starts a series of operations that download and install a malware known as Crimace, detected as TrojanDownloader:JS/Crimace.A. This threat is a malware downloader, a trojan that connects to an online server and downloads and runs other malware. In this case, it was PClock. If we take a look at the screenshots posted on the Bleeping Computer forums in January 2015, and the screenshots taken by Microsoft, we see that PClock hasn't evolved, at least visually, at all. PClock January 2015 variant PClock November 2016 variant (Source: Microsoft) PClock November 2016 variant (Source: Microsoft) The ransomware has remained at the same level of sophistication, still posing as a CryptoLocker clone, even if other more dangerous ransomware families have emerged in the meantime. PClock still an entry-level operation Furthermore, PClock's operators have yet to figure out how to host a decryption service on the Dark Web, the standard method for dealing with decryption operations, preferred by most high-end ransomware threats. After almost two years in the wild, PClock has remained an entry-level operation, requiring victims to get in contact with PClock's authors via email, a cumbersome and time-consuming task. The only thing that has changed is the number of targeted files. Initial PClock variants targeted only 100+ file types for encryption, while the most recent variant targets a whopping 2,630 file types. Article source
  24. A security researcher named slipstream/RoL has discovered the Karma Ransomware, which pretends to be a Windows optimization program called Windows-TuneUp. What is worse is that this sample was discovered as software that would potentially be distributed by a pay-per-install software monetization company when people install free software downloaded from the Internet. I have been railing against adware and PUA purveyors for quite some time and this continues to show how dangerous bundled software is becoming. If a user downloads and installs a free program that is monetized by this software monetization company, they would possibly be greeted with an offer for a Windows optimization program called Windows-TuneUp. While many people know these types of programs are not ones you want on your computer, there are unfortunately many who do not realize this. These people would then accept the offer thinking they are getting a program that will help optimize their slow computer. When the program runs, they will be presented with a screen that shows various performance stats and tools to supposedly increase the performance of their computer. Also, if they had gone to the program's web site they would have been shown a web page that appears to look like a legitimate software company. Windows-TuneUp Web Site Unfortunately, this is just a ruse and while the victim's are playing with the fake program or reading the website, the program is silently encrypting the data on the computer and its connected drives. It is not until they are shown the Karma Ransomware's ransom note do they realize that they have been tricked and that their computer has a serious problem. Karma Ransomware Ransom Note The good news is that this ransomware was very short-lived and the Command & Control server has already been shut down. Therefore, even if this ransomware is still being distributed, victims will not become infected. It does, though, provide a very important lesson, which is anyone who downloads free software over the Internet should decline any offers that may be presented. In my experience, any offers being presented by free downloads are just not worth the headache they may present and should simply be avoided. Try instead to only download programs that are are adware and PUP free. How the Karma Ransomware Encrypts a Computer For a more technical dive, when Karma is first executed it checks if the program is running on a virtual machine. If it is, it would terminate the program and state it is not compatible with the computer. If it does not detect a virtual machine, it would connect to the Command & Control server to retrieve the encryption key that would be used to encrypt the victim's files. It will then search all drives, including connected network drives, for certain file types to encrypt. The targeted file extensions are: .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3gp2, .3gpp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accda, .accdb, .accdc, .accde, .accdr, .accdt, .accdu, .accdw, .ace, .ach, .acr, .act, .adb, .ade, .adn, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .amr, .aoi, .apj, .apk, .arj, .arw, .asax, .ascx, .asf, .ashx, .asm, .asmx, .asp, .aspx, .asset, .asx, .atb, .au, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .bz, .bz2, .c, .caf, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .cshtml, .csl, .csproj, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .dochtml, .docm, .docx, .docxml, .dot, .dothtml, .dotm, .dotx, .drf, .drw, .dsw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .fdf, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fs, .fsi, .fsproj, .fsscript, .fsx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .gz, .h, .hbk, .hdd, .hpp, .htaccess, .html, .htpasswd, .ibank, .ibd, .ibz, .idx, .iff, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .ipsw, .iqy, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lha, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .lzh, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .master, .max, .mbx, .md, .mda, .mdb, .mdc, .mdf, .mdp, .mdt, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp2, .mp2v, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpeg, .mpg, .mpg, .mpga, .mpv, .mpv2, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .onepkg, .onetoc, .onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pdfxml, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm, .pm!, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .pothtml, .potm, .potm, .potx, .ppam, .pps, .ppsm, .ppsm, .ppsx, .ppt, .ppthtml, .pptm, .pptm, .pptx, .pptxml, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .pwz, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r00, .r01, .r3d, .raf, .ram, .rar, .rat, .raw, .rax, .rdb, .re4, .resx, .rm, .rmm, .rmvb, .rp, .rpt, .rt, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .settings, .sh, .sldm, .sldx, .slk, .slm, .sln, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tax, .tbb, .tbk, .tbn, .tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .utorrent, .vb, .vbe, .vbhtml, .vbox, .vbproj, .vbs, .vcf, .vcproj, .vcs, .vcxproj, .vdi, .vdx, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .vsix, .vss, .vst, .vsx, .vtx, .wab, .wad, .wallet, .war, .wav, .wb2, .wbk, .web, .wiz, .wm, .wma, .wmf, .wmv, .wmx, .wpd, .wps, .wsf, .wvx, .x11, .x3f, .xdp, .xis, .xla, .xla, .xlam, .xlk, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsb, .xlshtml, .xlsm, .xlsm, .xlsx, .xlt, .xltm, .xltm, .xltx, .xlw, .xlw, .xml, .xps, .xslt, .xxx, .ycbcra, .yuv, .zip When it encounters one of the above file types it would encrypt it using AES encryption and append the .karma extension to the filename. For example, test.jpg would become test.jpg.karma. While encrypting files, it would skip all folders that contain the following strings: \$recycle.bin\ \$windows.~bt\ \boot\ \drivers\ \program files\ \program files (x86)\ \programdata\ \users\all users\ \windows\ \appdata\local\ \appdata\locallow\ \appdata\roaming\ \public\music\sample music\ \public\pictures\sample pictures\ \public\videos\sample videos\ \tor browser\ Finally, when it was done encrypting the files it will create ransom notes on the Desktop called # DECRYPT MY FILES #.html and # DECRYPT MY FILES #.txt and display them. Last, but not least, it will create a Scheduled Task which will automatically start Windows-TuneUp.exe after it has been closed. This schedule task is called pchelper. Files associated with the Karma Ransomware Windows-TuneUp.exe Registry entries associated with the Karma Ransomware HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer "auth" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "Saffron"= "%Desktop%\\# DECRYPT MY FILES #.html" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "Safron"= "%Desktop%\\# DECRYPT MY FILES #.txt" IOCs: SHA256: 6545ae2b8811884ad257a7fb25b1eb0cb63cfc66a742fa76fd44bddd05b74fe8 SHA256: cf5fda29f8e1f135aa68620ce7298e930be2cb93888e3f04c9cd0b13f5bc4092 Network Communication: karma2xgg6ccmupd.onion windows-tuneup.com/web293/xUser.php Article source