Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'ransomware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 207 results

  1. Bitdefender 2017 Build 21.0.23.1101 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/74787-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.23.1101 This version fixes the following issues: Fixed a crash caused by the Update module Fixed a rare crash caused by SafePay Fixed a issue with the Firefox extension signatures Fixed a issue causing the Bitdefender window to shift to the right Fixed a issue causing the Wallet to prompt for the account on the same browser session Fixed a issue where the Agent failed to stop Fixed a issue where the Wallet would display empty lists when scrolling down the menu Fixed a rare crash causing vsserv to crash Fixed a crash caused by SafePay Fixed a crash caused by the Agent Fixed a issue causing the Agent not to deploy properly Fixed a issue where the Custom Scan would not start at the proper time Fixed a issue where the email archives would be purged from the Quarantine Fixed a rare issue causing the Uninstaller to crash Fixed a issue where the Security Report would show the improper period Fixed a issue where the product would revert the default language to English after a repair Fixed a issue where SafePay would not keep the zoom settings from the previous session Fixed a issue causing SafePay to be unable to open PDF files The following improvements were included: The product now complies with the Microsoft DSA requirements Several improvements to the install engine Improved repair process Several improvements to the On-Access engine Product interface fixes and improvements Improved SafePay's functionality Several improvements to the product's self-defense mechanism Improved the way the Support Tool gathers Bitdefender related information Improvements to the Firewall engine Improved Wallet's compatibility with several websites Added support for the polish language Some improvements to the event engine Improved the way the product handles remote tasks (example : system scan from Central) Improved the way the product integrates with the Windows start-up process Some improvements to the Update engine KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.23.1101 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.23.1101 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.23.1101 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 19 Jan 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 386983608 bytes MD5: 0444b93b3942f8f08a3cace4915290b3 SHA-1: d868a81dd02632716216671da19b928bc20fe91c SHA-256: f9f6c543d7e31c3289f43e0e9f85e279c0825a3df66eb7639ba496ba49535189 SHA-384: d5e643be48251de5dd77bb52318b6e1028668161630e51b1d1695864b52c469b3af02ff04e05c4d7ae3c2c89e026b8aa SHA-512: b612ff33eb172ff7ce2978399fc706aa91fee712124ed7a91c17bf52c183a1aeda1901c2558945462271e44261b2e86187b27082fb5b35f4363f4ede78fb5474 bitdefender_ts_21_64b.exe (application/octet-stream) - 428227776 bytes MD5: d9640741f295a8f4830b193108a164f6 SHA-1: 81906a9ade33889f2ccb1c2c0b2e0939ff1fe9ef SHA-256: c225869fd8175ccd8dfa1c9226ed466ec3795c5049dfed5e99e2cfaa871e47f2 SHA-384: 0057846870499ceb5407a81a8ff883c1f46c18afcc911b277b8f68ef02c1dff3f1cba479e9a5b61fe2a033de6c273e02 SHA-512: b0211315a8418fa7115a354db61b50a73d522ef3b6404f7cfd6cf0e7651b987dd9656fe8db9d680ee31f93048f1f5bcd47dccb34f42cf174a9e8a62597b3bc25 Bitdefender 2017 Offline Installation Guide:
  2. Security researcher Michael Gillespie has developed a new Windows app to help victims of ransomware infections. Named CryptoSearch, this tool identifies files encrypted by several types of ransomware families and provides the user with the option to copy or move the files to a new location, in hopes that a decrypter that can recover the locked files will be released in the future. Gillespie developed the app as a recovery and cleaning utility for computers that have been infected by undecryptable ransomware strains. In these cases, it is impossible for PC owners to recover locked files, so the best course of action is to move all the encrypted data to a backup drive and wait until security researchers find a way to break the ransomware's encryption. Gathering all encrypted files is a different story. Ransomware works by encrypting file types, and not folders, so victims usually have encrypted files spread all over their PC, not in a few central locations. This is where CryptoSearch comes to help, by automating this search process, and the movement of these files to a new location. Once this operation finishes and PC owners have a backup of the encrypted data, they can clean up the computer by removing the ransomware's file, or optionally, wiping the hard drive and reinstalling the entire OS. CryptoSearch works together with ID Ransomware Under the hood, CryptoSearch works in tandem with the ID Ransomware service, meaning you have to be online when running the app. According to Gillespie, CryptoSearch will query the ID Ransomware service in order to retrieve data needed to identify the type of ransomware that has locked the user's PC. "This program is powered by my service ID Ransomware, and thus is always updated with definitions on the latest known ransomwares and their signatures," Gillespie wrote today on the Bleeping Computer forums, where he officially launched the app. "When CryptoSearch is first launched, it will contact the website, and pull down the latest information on known extensions and byte patterns," Gillespie added. "It will identify files by known filename pattern or extension, or for some variants, the hex pattern in the encrypted file." CryptoSearch uses this database to search the local file system, identify the ransomware infection, and then find all files locked by that ransomware. Once CryptoSearch has identified all files, the user is prompted via a menu and asked if he wants to move or copy the files, and then asked where to relocate the encrypted data. Gillespie says that CryptoSearch is smart in the way it transfers files, keeping the initial folder structure. For example, files found in "C:\Test\Folder" will be moved to "J:\Backup\C\Test\Folder" CryptoSearch is currently in a beta development stage, meaning more features will arrive in the future. One of the currently requested features is an "offline mode" that will include static copies of the ID Ransomware database so that CryptoSearch could be used on computers not connected to the Internet. Users asked for this feature because it's a standard practice in the case of ransomware infections to isolate computers by taking them offline. There's no timeline for this feature, so you'll have to keep an eye on Gillespie's Twitter feed or the CryptoSearch Bleeping Computer forum topic. CryptoSearch can be downloaded from here. Article source
  3. A new law that took effect in California on January 1, 2017 punishes conviction of distributing ransomware with a prison sentence of up to four years. In the past, ransomware cases were tried under existing extortion statutes. According to the bill's sponsor, California State Senator Bob Hertzberg, "This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware." Source
  4. A new kind of ransomware comes with its own "referrals" program, one that you probably wouldn't want to join. The malware called dubbed "Popcorn Time" locks your Windows computer's files with strong AES-256 encryption, until you a pay a ransom of one bitcoin (or $780 at the time of writing). "We are extremely sorry that we are forcing you to pay but that's the only way that we can keep living," said the ransomware note. Source
  5. Ransomware Attacks To Decrease In 2017 Ransomware is expected to deflate a bit next year, but hackers won’t be resting on their laurels, that’s for sure. Instead, they might just move to dronejacking, for a "variety of criminal or hacktivist purposes". This is according to McAfee Labs, whose new report, the McAfee Labs 2017 Threats Predictions Report, identifies 14 cyber-security trends to watch in 2017. Based on the opinions of 31 Intel Security thought leaders, the report says we can expect a decrease in both volume and effectiveness of ransomware in the second half of 2017. Windows vulnerability exploits will also continue downwards, but infrastructure and virtualization software attacks will increase. So will attacks against hardware and firmware. Attacks against mobile devices will be a combination of mobile device locks and credential theft, allowing attackers access to information such as credit cards. IoT malware could open up backdoors into the connected home -- backdoors which could stay undetected for years. Also, we can expect to see hijackings of drones, or as the report puts it -- Dronejackings. "To change the rules of the game between attackers and defenders, we need to neutralize our adversaries' greatest advantages", says Vincent Weafer, vice president of Intel Security’s McAfee Labs. “As a new defensive technique is developed, its effectiveness increases until attackers are compelled to develop countermeasures to evade it. To overcome the designs of our adversaries, we need to go beyond understanding the threat landscape to changing the defender-attacker dynamics in six key areas: information asymmetry, making attacks more expensive, improving visibility, better identifying exploitation of legitimacy, improving protection for decentralized data, and detecting and protecting in agentless environments". The full report can be found on this link (PDF). Published under license from ITProPortal.com, a Future plc Publication. All rights reserved. Source
  6. Kaspersky Labs has also developed a decryptor tool based on the master keys. ESET security researchers have created and released a free decryption tool to combat Crysis ransomware based on the malware's master decryptor keys that were made public earlier this month. ESET's decryption tool, which joins one developed by Kaspersky Labs, uses information released on Pastebin and first reported by Bleeping Computer. The security firm has detected variants of Crysis appearing in 123 countries since it was released in May 2016 with people in France, Spain and Brazil being victimized most frequently. Cybercriminals use a variety of methods to spread the malware, including spam and infected ads found on social networks. Bleeping Computer founder Lawrence Abrams believes the decryptor master keys posted on Pastebin are possibly from the malware's creator because they contain the C header files. Article source
  7. Microsoft warns internet users for Amazon emails that try to infect computers with ransomware. With Black Friday and Cyber Monday coming up, cybercriminals hope more users are susceptible for opening an attachment coming from a popular online retailer. In this case the malcious emails appear to be from Amazon and state that the order has been sent out. The criminals behind the scam have tried to make the mail look as legitimate as possible and the mail has a .ZIP file attached that ‘contains information about the order’. In reality it contains a Javascript file with obfuscated code that is known a Nemucod, a Trojan downloader that will download the Locky ransomware to the computer that will start to encrypt files on the computer. “We see it every year: social engineering attacks that take advantage of the online shopping activities around Black Friday and Cyber Monday, targeting customers of online retailers”, Duc Nguyen and Wei Li write in a blog on Microsoft’s website. As usual, Microsoft advises to not open emails and especially attachments from unknown addresses. Amazon also has a helpful page that can assist in identifying between a legitimate and fake email from the online retail giant. Article source
  8. Nathan Scott, a malware analyst for Malwarebytes, was able to crack the encryption system used by the Telecrypt ransomware, discovered two weeks ago by researchers from Kaspersky Lab. The peculiar feature that made this threat unique was the ransomware's command and control (C&C) client-server communications channel, for which the operators chose to use the Telegram protocol, instead of HTTP or HTTPS like most ransomware does these days. This made Telecrypt stand out, albeit its threat vector was low, since it only targeted Russian users with its first version, and only bothered showing the ransom note in Russia alone. Telecrypt ransom note (via Kaspersky Lab) You can get the Telecrypt ransomware decryptor created by Malwarebytes from this Box link. Inside it you'll find two files: the decrypter itself and a text file with usage instructions. The decryptor's interface is self-explanatory, but make sure to read the usage instructions first. The decryptor needs to run as the system administrator. In modern Windows versions, you can right-click it and select "Run as Administrator" from the drop-down menu. In older Windows versions you need to right-click the file, choose Properties, then the Compatibility tab, and select the "Run This Program As An Administrator" option. Telecrypt Decryptor To run the Telecrypt decryptor, victims need a good and an encrypted version of the same file, so the decryptor can determine the ransomware's encryption key. You can find unencrypted versions of your files in email accounts, file syncing services (Dropbox, Box), or from older system backups if you made any. After the decryptor finds the encryption key, it will then present the user with the option to decrypt a list of all encrypted files, or from one specific folder. Telecrypt keeps a list of all encrypted files at "%USERPROFILE%\Desktop\База зашифр файлов.txt" Scott is the second Malwarebytes employee that cracked a ransomware in the past two days after Hazherezade released a decryptor for the Princess Locker ransomware yesterday. Article source
  9. Proofpoint researchers spotted a ransomware dubbed Ransoc that uses bold tactics to target and extort pedophiles and torrent users. While anyone with an unsecured machine may be infected, Ransoc scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information, including strings associated with child pornography in an attempt to gain more leverage on the victims who may have child pornography or other illegal files, according to a Nov 14 blog post. The ransomware is spread via malvertising primarily fed by the Plugrush and Traffic Shop traffic exchanges on adult websites and looks to infect Internet Explorer on Windows and Safari on OS X. Once a user is infected the malware uses a screen locker displaying information from the victim's social media and may display a customized “Penalty Notice” if the malware believes it has spotted illegal files on a user's device. The notice also threatens to take the victim to trial and to publicly release all of the files collected by the ransomware if the victim doesn't pay. Researchers noted in the blog that the ransomware is targeting the victim's reputation rather than their files. The malware also attempts to encourage payment by telling users their ransom will be refunded if the victim isn't caught again within 180 days. The collection method also displayed the confidence level that the malware's authors have as it request credit card information which is easier for authorities to trace than Bitcoin or other crypto currencies. Researchers said in the post that this implies the attackers are confident victims would rather pay the ransom. “This ransomware is unique in how it functions and the sorts of information it collects,” Proofpoint's Threat Operations Center Vice President Kevin Epstein told SC Media via emailed comments. “It's blackmail-ware rather than hostage-ware.” Source
  10. A new spam wave posing as emailed fax messages is delivering a malware downloader that fetches and installs a ransomware family known as PClock, a CryptoLocker clone. The ransomware, detected by Microsoft as Ransom:Win32/WinPlock.B or WinPlock, is more commonly referred to under the name of PClock and has been going around since January 2015, when users first complained about it on the Bleeping Computer forums. Emsisoft security researcher Fabian Wosar was able to create a decrypter for the earlier versions that allowed users to unlock their files for free. By May 2015, the PClock team updated their code and broke the decrypter. After that point, PClock victims could only restore their files from backup files or by paying the ransom. PClock resurfaces with new spam wave Since then, the number of infections with PClock has been low but steady. Microsoft's security team recently picked up a spike in activity from the group's operators. In their most recent spam campaign, the ransomware's creators are using emails disguised as fax messages, using a subject such as "PLEASE READ YOUR FAX T6931." The title is boring and mundane, but the email contains a file named "Criminal case against you," which might get some users' attention. PClock installed via Crimace trojan This RAR archive contains a WSF file. When users download and open the archive, and execute the WSF file, a JScript function starts a series of operations that download and install a malware known as Crimace, detected as TrojanDownloader:JS/Crimace.A. This threat is a malware downloader, a trojan that connects to an online server and downloads and runs other malware. In this case, it was PClock. If we take a look at the screenshots posted on the Bleeping Computer forums in January 2015, and the screenshots taken by Microsoft, we see that PClock hasn't evolved, at least visually, at all. PClock January 2015 variant PClock November 2016 variant (Source: Microsoft) PClock November 2016 variant (Source: Microsoft) The ransomware has remained at the same level of sophistication, still posing as a CryptoLocker clone, even if other more dangerous ransomware families have emerged in the meantime. PClock still an entry-level operation Furthermore, PClock's operators have yet to figure out how to host a decryption service on the Dark Web, the standard method for dealing with decryption operations, preferred by most high-end ransomware threats. After almost two years in the wild, PClock has remained an entry-level operation, requiring victims to get in contact with PClock's authors via email, a cumbersome and time-consuming task. The only thing that has changed is the number of targeted files. Initial PClock variants targeted only 100+ file types for encryption, while the most recent variant targets a whopping 2,630 file types. Article source
  11. A security researcher named slipstream/RoL has discovered the Karma Ransomware, which pretends to be a Windows optimization program called Windows-TuneUp. What is worse is that this sample was discovered as software that would potentially be distributed by a pay-per-install software monetization company when people install free software downloaded from the Internet. I have been railing against adware and PUA purveyors for quite some time and this continues to show how dangerous bundled software is becoming. If a user downloads and installs a free program that is monetized by this software monetization company, they would possibly be greeted with an offer for a Windows optimization program called Windows-TuneUp. While many people know these types of programs are not ones you want on your computer, there are unfortunately many who do not realize this. These people would then accept the offer thinking they are getting a program that will help optimize their slow computer. When the program runs, they will be presented with a screen that shows various performance stats and tools to supposedly increase the performance of their computer. Also, if they had gone to the program's web site they would have been shown a web page that appears to look like a legitimate software company. Windows-TuneUp Web Site Unfortunately, this is just a ruse and while the victim's are playing with the fake program or reading the website, the program is silently encrypting the data on the computer and its connected drives. It is not until they are shown the Karma Ransomware's ransom note do they realize that they have been tricked and that their computer has a serious problem. Karma Ransomware Ransom Note The good news is that this ransomware was very short-lived and the Command & Control server has already been shut down. Therefore, even if this ransomware is still being distributed, victims will not become infected. It does, though, provide a very important lesson, which is anyone who downloads free software over the Internet should decline any offers that may be presented. In my experience, any offers being presented by free downloads are just not worth the headache they may present and should simply be avoided. Try instead to only download programs that are are adware and PUP free. How the Karma Ransomware Encrypts a Computer For a more technical dive, when Karma is first executed it checks if the program is running on a virtual machine. If it is, it would terminate the program and state it is not compatible with the computer. If it does not detect a virtual machine, it would connect to the Command & Control server to retrieve the encryption key that would be used to encrypt the victim's files. It will then search all drives, including connected network drives, for certain file types to encrypt. The targeted file extensions are: .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3gp2, .3gpp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accda, .accdb, .accdc, .accde, .accdr, .accdt, .accdu, .accdw, .ace, .ach, .acr, .act, .adb, .ade, .adn, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .amr, .aoi, .apj, .apk, .arj, .arw, .asax, .ascx, .asf, .ashx, .asm, .asmx, .asp, .aspx, .asset, .asx, .atb, .au, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .bz, .bz2, .c, .caf, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .cshtml, .csl, .csproj, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .dochtml, .docm, .docx, .docxml, .dot, .dothtml, .dotm, .dotx, .drf, .drw, .dsw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .fdf, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fs, .fsi, .fsproj, .fsscript, .fsx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .gz, .h, .hbk, .hdd, .hpp, .htaccess, .html, .htpasswd, .ibank, .ibd, .ibz, .idx, .iff, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .ipsw, .iqy, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lha, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .lzh, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .master, .max, .mbx, .md, .mda, .mdb, .mdc, .mdf, .mdp, .mdt, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp2, .mp2v, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpeg, .mpg, .mpg, .mpga, .mpv, .mpv2, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .onepkg, .onetoc, .onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pdfxml, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm, .pm!, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .pothtml, .potm, .potm, .potx, .ppam, .pps, .ppsm, .ppsm, .ppsx, .ppt, .ppthtml, .pptm, .pptm, .pptx, .pptxml, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .pwz, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r00, .r01, .r3d, .raf, .ram, .rar, .rat, .raw, .rax, .rdb, .re4, .resx, .rm, .rmm, .rmvb, .rp, .rpt, .rt, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .settings, .sh, .sldm, .sldx, .slk, .slm, .sln, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tax, .tbb, .tbk, .tbn, .tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .utorrent, .vb, .vbe, .vbhtml, .vbox, .vbproj, .vbs, .vcf, .vcproj, .vcs, .vcxproj, .vdi, .vdx, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .vsix, .vss, .vst, .vsx, .vtx, .wab, .wad, .wallet, .war, .wav, .wb2, .wbk, .web, .wiz, .wm, .wma, .wmf, .wmv, .wmx, .wpd, .wps, .wsf, .wvx, .x11, .x3f, .xdp, .xis, .xla, .xla, .xlam, .xlk, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsb, .xlshtml, .xlsm, .xlsm, .xlsx, .xlt, .xltm, .xltm, .xltx, .xlw, .xlw, .xml, .xps, .xslt, .xxx, .ycbcra, .yuv, .zip When it encounters one of the above file types it would encrypt it using AES encryption and append the .karma extension to the filename. For example, test.jpg would become test.jpg.karma. While encrypting files, it would skip all folders that contain the following strings: \$recycle.bin\ \$windows.~bt\ \boot\ \drivers\ \program files\ \program files (x86)\ \programdata\ \users\all users\ \windows\ \appdata\local\ \appdata\locallow\ \appdata\roaming\ \public\music\sample music\ \public\pictures\sample pictures\ \public\videos\sample videos\ \tor browser\ Finally, when it was done encrypting the files it will create ransom notes on the Desktop called # DECRYPT MY FILES #.html and # DECRYPT MY FILES #.txt and display them. Last, but not least, it will create a Scheduled Task which will automatically start Windows-TuneUp.exe after it has been closed. This schedule task is called pchelper. Files associated with the Karma Ransomware Windows-TuneUp.exe Registry entries associated with the Karma Ransomware HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer "auth" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "Saffron"= "%Desktop%\\# DECRYPT MY FILES #.html" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "Safron"= "%Desktop%\\# DECRYPT MY FILES #.txt" IOCs: SHA256: 6545ae2b8811884ad257a7fb25b1eb0cb63cfc66a742fa76fd44bddd05b74fe8 SHA256: cf5fda29f8e1f135aa68620ce7298e930be2cb93888e3f04c9cd0b13f5bc4092 Network Communication: karma2xgg6ccmupd.onion windows-tuneup.com/web293/xUser.php Article source
  12. Malware of all kinds can be a terrible experience and costly in terms of lost productivity, destroyed data, and the release of potentially embarrassing or valuable proprietary information. Ransomware, though, is in its own class of bad, not only threatening data but also directly costing victims money in response. Microsoft understands this, and has published a post over at the Windows blog letting its customers know just how committed the company is to defending against ransomware: Ransomware is one of the latest malware threats that is attracting an increasing number of cyber-criminals who are looking to profit from it. In fact, in the last 12 months, the number of ransomware variants have more than doubled. Its premise is deceptively simple: infect users’ devices, and then deny them access to their devices or files unless they pay a ransom. However, the methods and means attackers are using to perpetrate ransomware attacks are increasingly varied, complex and costly. In response, Microsoft is taking some specific steps aimed at slowing down ransomware and providing customers will tools to combat it: Six of the top 10 ransomware threats use browser, or browser-plugin-related exploits, so we made it harder for malware authors to exploit Windows 10 and Microsoft Edge. We increased detection and blocking capability in our email services, increasing the number of ransomware-related attachments being blocked. We added new technology to Windows Defender to reduce detection time to seconds, increasing our ability to respond before the infection can occur. We released Windows Defender Advanced Threat Protection which can be combined with Office 365 Advanced Threat Protection to make it easier for companies to investigate and respond to ransomware attacks. Microsoft is focusing on a few areas to deal with ransomware. They’re working to prevent it by hardening the browser against exploits, protecting email, and applying machine learning to the task. Detection is being enhanced via improvements to Windows Defender. Finally, the company is responding by providing some defense after a breach ahs already occurred. The company has some advice for Windows 10 users as well: We have made significant improvements in protecting customers from ransomware in the Windows 10 Anniversary Update. To help protect against ransomware and other types of cyber threats, we suggest you: Update to the Windows 10 Anniversary Update and accept the default security settings within Windows 10. Keep machines up to date with the very latest updates. Ensure that a comprehensive backup strategy is implemented and followed. The Block at First Sight cloud protection feature in Windows Defender is enabled by default. For IT Pros, if it was turned off we recommend turning it back on, and we also recommend incorporating another layer of defense through Windows Defender ATP and Office 365 ATP. For more information about each of these technologies and techniques and how they work, please download our white paper Ransomware Protection in Windows 10 Anniversary Update. We recommend that you head Microsoft’s advice, and that if you haven’t already upgraded to Windows 10 Anniversary Edition, that you get that done as soon as you can. Security and privacy rely on updated systems that leverage all of the work that companies like Microsoft are putting into it. Article source
  13. Master Decryption Keys and Decryptor for the Crysis Ransomware Released In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the BleepingComputer.com forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them, These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim's files. BleepingComputer.com post about Master Decryption Keys being Released Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware. Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them. Header file posted to Pastebin When the released keys were examined by Kaspersky Lab it was determined that these keys were legitimate. Using these keys, Kaspersky have updated their RakhniDecryptor program so that it can now decrypt CrySiS encrypted files. Using RakhniDecryptor to decrypt CrySiS Encrypted Files Victims of the CrySiS ransomware can be identified by their files being encrypted and renamed to the format of [filename].id-[id].[email_address].xtbl. For example, the most recent variants would have a file named test.jpg renamed and encrypted as [email protected] Some other variants that have previously been seen include [email protected], [email protected], [email protected], and [email protected] To decrypt files encrypted by the CrySiS ransomware, you need to first download the RakhniDecryptor. Once downloaded, you should extract the program and run it. Once running it will display the main screen as shown below. RakhniDecryptor Before starting, you need to make sure that you are using version 1.17.8.0, which supports the CrySiS ransomware. To check the version of the RakhniDecryptor you can click on the About link at the bottom left of the above screen. This will display a small window that shows the version of RakhniDecryptor. About Screen If you are using version 1.17.8.0 or greater, then you should click on the Start scan button and RakhniDecryptor will prompt you to select an encrypted file. Browse to a folder that contains CrySiS encrypted files and select a .Word, Excel, PDF, music, or image file. Do not select a text file as it cannot be used to decrypt the rest of your files. Select a CrySiS Encrypted File Once you have selected a file, click on the Open button. RakhniDecryptor will now scan the entire computer for encrypted files and decrypt them. Scanning for CrySiS Encrypted Files This process can take quite a long time, so please be patient while it scans your computer and decrypts the files. When it has finished it will display a list of files decrypted by RakhniDecryptor. You can now close the RakhniDecryptor and should be able to access your files again. Source
  14. The one thing about cybercriminal is that they are persistent and always finds a new a way to attack. And they tend to improve themselves staying ahead of cyber defenders. Recently we have received one malware sample and the infected PC too. So we take a look at the malware sample. At first, we thought this is just another variant of ransomware but after doing some analysis, we found that this malware does not encrypt any files but still ask for ransom. Below are the pictures of the ransom note. Most of the previous ransomware note includes encryption methods, the deadline to decrypt the file, bitcoin address for payment etc. But this ransom note is different and has the title “Notice of Imposition of File”. This ransom looks like the notice sent from the federal office and has the following notice. Materials that Violates the Intellectual Property Right Suspicious Activity After reading the note, we can come to the conclusion that this note has the threatening message to the victim to pay the fine to settle the pre-trial within 24 hours with the following note. “You must pay penalty within 24 hours to settle the case out of court. Incase of failure to comply claims” ALL COLLECTED DATA WILL BE MADE PUBLIC AND THE CASE GOES TO THE TRIAL. And this note also provides all the details of the victim which includes Name Birthday Phone Email Location Area Skype Account Details Facebook Account Details Linkedin Account Details IP Address CPU Details System Details PC Name Username And with note contain the victim images from facebook, LinkedIn, and picture taken from webcams. And when victims click the payment options, then it will take to the payment page where victims are requested to fill up their basic details and the credit card details. . In short, when this malware is infected in the PC, it will collect all the data of the victim, even capture the picture from the webcam and creates a ransom note which I described above and threatens the victim to pay ransom or they will leak their private data in public. More About This Malware This malware is distributed via Nuclear Exploit Kit and the users become a victim when they visit compromised WordPress website which redirects to Nuclear Exploit Kit Server. To spread this malware, we have identified one IP 128.31.0.39 that have been used by cybercriminals. Analyzed Samples d5738a0199b58a754b03980349a66b89 Behavioural Analysis After being deployed malware disappears and runs it by dropped copy from the hidden folder created in C:\\Users\Username\AppData\Local\Temp\Low It also creates a link to the dropped malware in \AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup And it also drops other files z32jwcdbdaz7ab52tyxhr7x2smatqp2k zqweejj6blyvyxxq4da4rzvh3un5pzvv.exe __config3271.bat And then this malware starts to talk with Command and Control(C&C) server. We have identified two C&C server 89.163.144.64 136.243.147.14 When the victim PC starts to communicate with C&C, then malware starts to collect data from the victim PC which can be used for the ransom note. After the data is collected to create a ransom note, then the malware becomes active to lock the screen with the ransom note. The following picture shows the malware process running in the background. And when a victim sends the requested ransom to cyber criminals, then the request is sent to the crooks server via a secure communication (TLS). The server IP is 91.194.90.103 which is behind the TOR. Find the Malware Analysis details here https://malwr.com/analysis/MGVjYmJjY2I4ZTMwNDMwOWE5MDkzMWFmZTk5MDE4YTI/ This malware has evolved to another level and has become the next-generation ransomware. How to Protect yourself from malware? Install Anti-Virus/Malware Software. Keep Your Anti-Virus Software Up to Date. Run Regularly Scheduled Scans with Your Anti-Virus Software. Use updated version Operating System. Back up your file. Think Before you click. Use Strong Password with two-step verification. Cover up your webcam. Article source
  15. Traditional antivirus fails to stop ransomware 100% of the time. That’s according to a recent survey from Barkly of companies that suffered successful ransomware attacks during the last 12 months. A full 100% reported they were running antivirus at the time of the attack. And antivirus wasn’t the only security solution that came up short. Victims reported that 95% of the attacks bypassed the victim’s firewall(s); 77% of the attacks bypassed email filtering; 52% of the attacks bypassed anti-malware; and 33% of the attacks were successful even though the victim had conducted security awareness training. Not a great track record. But what’s baffling is the finding that most companies don’t alter their approaches after a ransomware attack. “Instead of branching out and investing in new forms of protection, the majority of respondents chose to simply double down on the same poor-performing solutions,” said Jonathan Crowe, a security researcher at Barkly. In fact, 26% (re)invested in email filtering; 25% (re)invested in security awareness training services; 20% (re)invested in antivirus; and 17% (re)invested in firewall(s). That’s in addition to the 43% that didn't invest in any additional solutions at all. “One way to read these reactions is that, lacking obviously better options but still feeling the pressure to do something, companies are taking the only immediate path they see forward — adding more of the basic, foundational security solutions that have widely-accepted benefits even though they also have widely-acknowledged holes,” Crowe said. Many IT pros said that they preferred to address vulnerabilities and make improvements on their own. Two thirds responded to the attacks by conducting their own user awareness initiatives. Nearly half reacted by making updates to their existing security policies. “The fact that a whopping 43 percent of respondents chose not to invest in any additional security solutions whatsoever is also an indication that, when it comes to preventing ransomware, IT pros simply don't see many good options (new or established) they feel like they can trust,” Crowe said. Another factor is that backups might be making IT staff complacent. Barkly research showed that 81% were confident backup would provide them with complete recovery from a ransomware attack. But less than half of those who had actually experienced an attack were able to fully recover their data with backup. “While backup is unquestionably a necessity and while it has undoubtedly helped save many an IT pro's bacon, it's also far from a given that every ransomware scenario will be able to be quickly remedied with a simple wipe and restore,” Crowe said. “The idea of increasing widespread reliance on backup, a solution that's really meant to be used as a last resort, makes many security experts nervous. There's also the worry that some ransomware variants make copies of encrypted data that criminals can later sell or post publicly.” Article source
  16. The moment your computer connects to the internet, it becomes susceptible to a myriad of attacks like malware infection, hacking or others. On top of that, some websites also try to track down your web browsing patterns in order to make offers to you based on the collected data. There seems to be no escape from this situation no matter how many different tools you try. Now a new software called the BlackFog Privacy has come to the front of this ongoing battle to preserve the PC security and privacy. The BlackFog Privacy software can be used to monitor the network traffic, delete some of the cookies stored by various web browsers as well as the browser cache in order to boost the level of privacy. This software also makes sure that you stay protected from various forms of the malicious programs like ransomware, trojans, spyware in addition to the programs that could be collecting user generated data for their tracking services. The main window of the BlackFog Privacy shows you a basic overview of your system’s status – how much of the forensic data is present on your PC, how many devices are connecting to your PC, the network status and the telemetry report, and more. All of this data is presented graphically so that you can easily see which actions are required to secure your PC. You can obviously change the settings related to network traffic, forensic data removal, and the privacy system settings. It also shows the privacy score of your PC based on the various settings. According to the BlackFog Privacy software web site, it protects your PC from 26 million different malware, ransomware and spyware. This makes it a good antivirus product in itself. When you decide to remove the forensic data from your PC, it uses the popular DoD algorithm that repeatedly overwrites files with randomly generated data making it impossible to recover them later. http://www.blackfog.com/blackfog-privacy-2-5-real-time-network-protection-ransomware-spyware-malvertising/ Conclusion: BlackFog Privacy is a security software for PC that offers improvement in privacy, protection from malware and monitoring of network traffic to see all the connections made to or from your PC. Download BlackFog Privacy Article source
  17. Cisco releases MBRFilter as free download utility MBRFilter notification message Cisco's Talos team released today a new free tool called MBRFilter that protects a computer's MBR sector against unauthorized access, which can be useful for safeguarding PCs against MBR-targeting malware, such as the Petya, Satana, or HDDCryptor ransomware. At its core, the tool is nothing more than a driver that changes your MBR into a read-only mode and prevents any application from modifying or writing data to that particular section of your hard drive. The MBR stands for Master Boot Record and is a special section of all hard disk drives. The MBR is located right at the beginning of the HDD's storage space and keeps information on partitions in a component called the MFT, or the Master File Table. The MBR also stores the computer's bootloader, an OS component responsible for booting the current OS. Ransomware such as Petya, or other MBR malware (bootkits), force computers to restart and during the subsequent reboot process, write new data to the MBR, adding their own malicious routines. Cisco says MBRFilter blocks these operations, preventing Petya, or other malware for tinkering with a computer's boot record. Cisco has open-sourced the MBRFilter source code on GitHub. Pre-compiled MBRFilter driver installers for Windows 32-bit and 64-bit platforms are also available for download. Below is a demo video of MBRFilter in action. MBRFilter - A Tool To Help Protect Against MBR Malware Previously, the Cisco Talos team had released LockyDump, a tool that helps security researchers extract configuration details for the Locky ransomware, which can be useful in tracking ransomware campaigns across time. MBRFilter Article source
  18. Shodan is a search engine that looks for internet-connected devices. This summer, it was also used by security researchers and law enforcement to shut down a ransomware botnet Shodan is a search engine that looks for internet-connected devices. Hackers use it to find unsecured ports and companies use it to make sure that their infrastructure is locked down. This summer, it was also used by security researchers and law enforcement to shut down a ransomware botnet. The Encryptor RaaS botnet offered ransomware as a service, allowing would-be criminals to get up and going quickly with their ransomware campaigns, without having to write code themselves, according to report released last week. The ransomware first appeared in the summer of 2015. It didn't make a big impact -- in March, Cylance reported that it had just 1,818 victims, only eight of whom had paid the ransom. But it had a few things going for it that could have spelled success. Its big selling point was the price, said Ed Cabrera, chief cybersecurity officer at Trend Micro, which released last week's report. Other ransomware-as-a-service providers charged about 40 percent in commissions, so Encryptor RaaS was a bargain at just 5 percent. Plus, it billed itself as "fully undetectable," with a fair degree of success in evading antivirus detection, using valid certificates, and using the Tor network to hide its entire infrastructure. A year after its release, only two out of 35 antivirus products were able to detect it, according to NoDistribute, a service that checks malware against the top antivirus products. The low price may have affected customer service, however. "There was dissatisfaction with the service and the product that was being offered," said Cabrera. "You need to be able to make enough money to keep the lights on." But the death stroke came from Shodan. Security researchers found that one of the Encryptor RaaS servers was mistakenly left unprotected, exposed to the Internet, instead of being anonymized and hidden inside the Tor network. "With Shodan, they were able to identify Encryptor RaaS being hosted, and once that was found, they were able to shut it down," said Cabrera. Law enforcement authorities stepped in and closed one of the systems in June, then three more servers were seized a few days later. Encryptor RaaS developers called it quits soon after. "Either they were detected by law enforcement, or they couldn't sustain their business model," he said. "If you have high technical requirements in the malware that you're creating, you need people to do your development and provide the service, you need to keep making money." In addition, in the criminal marketplace, it's all about the reputation. "If your customers believe that you have an inferior product or service, you're gong to be named and shamed and you'll have to close doors," he said. "If they believe that you've been compromised by law enforcement as well, it puts a damper on business." The shutdown wasn't all good news for the rest of us, however. When its operators shut down Encryptor RaaS, they wiped the master decryption key. Victims of the ransomware whose files had been encrypted no longer had any way to get those files back -- even if they paid the ransom. It's yet another example that businesses shouldn't count on being able to just pay a ransom to get their data back, and need to put more effort into preventing the infection in the first place, said Cabrera. Original article source Note: Article was edited, first sentence linked to Nsane security & privacy news forum.
  19. Remove Ransomware Infections From Your PC Using These Free Tools Symantec A how-to on finding out what ransomware is squatting in your PC -- and how to get rid of it. Ransomware, a variety of malware which encrypts user files and demands payment in return for a key, has become a major threat to businesses and the average user alike. Coming in a variety of forms, ransomware most often compromises PCs through phishing campaigns and fraudulent emails. Once a PC is infected, the malware will encrypt, move and potentially delete files, before throwing up a landing page demanding a ransom in Bitcoin. Demands for payment can range from a few to thousands of dollars. However, giving in and paying the fee not only further funds the development and use of this malware, but there is no garuntee any decryption keys given in return will work. It is estimated that ransomware attacks cost more than $1 billion per year. The No More Ransom Project, launched by the National High Tech Crime Unit of the Netherlands' police, Europol, Kaspersky and Intel Security, is a hub for victims to find out how to remove infections -- and how to prevent themselves becoming infected in the future. Unfortunately, not every type of ransomware has been cracked by research teams. Time and vulnerabilities which can be exploited by cybersecurity experts are required, and so some ransomware families do not have a solution beyond wiping your system clean and using backup data. However, researchers are cracking more types of ransomware every month and there are a number of tools available which give victims some hope to retrieve their files. The No More Ransom Project offers a quick way to find out what sort of ransomware is on your PC using this step-by-step guide. Alternatively, the Ransomware hunter team runs the ID Ransomware online service which can also be used to identify infections. Below, in alphabetical order, you can find a range of tools and software made available by researchers to scour your PC clean of the most common types of infection. Al-Namrood: Removal tool. Emisoft. Apocalypse: Removal tool. Emisoft. ApocalypseVM: Removal tool. Emisoft. Autolocky: Removal tool. Emisoft. BadBlock: Removal tool. Trend Micro. Alternative: BadBlock: Removal tool. Emisoft. Bart: Removal tool | AVG | Original file copy required Bitcryptor: Removal tool. Kaspersky Cerber v.1: Removal tool. Trend Micro. Chimera: Removal tool. Trend Micro. CoinVault: Removal tool. Kaspersky CrypBoss: Removal tool. Emisoft. CryptoDefense: Removal tool. Emisoft. CryptInfinite: Removal tool. Emisoft. CryptXXX v.1 & 2: Removal tool (.zip). Kaspersky. (*Files encrypted by Trojan-Ransom.Win32.CryptXXX version 3 are detected, but not decrypted) CryptXXX v1, 2, 3, 4, 5: Removal tool. Trend Micro. DMALocker: Removal tool. Emisoft. DMALocker2: Removal tool. Emisoft. Fabiansomware: Removal tool. Emisoft. FenixLocker: Removal tool. Emisoft. Gomasom: Removal tool. Emisoft. Globe: Removal tool. Emisoft. Harasom: Removal tool. Emisoft. HydraCrypt: Removal tool. Emisoft. Jigsaw: Removal tool. Trend Micro. KeyBTC: Removal tool. Emisoft. Lechiffree: Removal tool. Trend Micro. Marsjoke | Polyglot: Removal tool (.zip) | Kaspersky. See also: One more bites the dust: Kaspersky releases decryption tool for Polyglot ransomware Nemucod: Removal tool. Trend Micro. Nemucod: Removal tool. Emisoft. MirCop: Removal tool. Trend Micro. Operation Global III: Removal tool. TeslaCrypt: Removal tool. Cisco. PClock: Removal tool. Emisoft. Petya: Removal tool. Key generator. Philadelphia: Removal tool. Emisoft. PowerWare: Removal tool Rakhni & similar: Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Lortok, Cryptokluchen, Democry: Removal tool (.exe). Kaspersky Rannoh: Removal tool (.zip). Kaspersky Shade v1 & 2: Removal tool. Kaspersky SNSLocker: Removal tool. Trend Micro. Stampado: Removal tool. Trend Micro. Alternative: Removal tool. Emisoft. TeslaCrypt v1, 2, 3, 4: Removal tool. Trend Micro. UmbreCrypt: Removal tool. Emisoft. Vandev: Removal tool. Kaspersky Wildfire: Removal tool (.zip). Kaspersky Xorist: Removal tool. Kaspersky Xorist: Removal tool. Emisoft. (Alternative: Removal tool. Trend Micro.) 777: Removal tool. Trend Micro. Source
  20. If you refuse to pay up, the malware vanishes from your PC -- but leaves everything fully encrypted. Kaspersky has released a decryption tool for the Polyglot ransomware to assist victims in recovering their files without giving in and paying a fee. On Monday, the cybersecurity firm launched the free tool (.ZIP), which is suitable for the Polyglot Trojan which is also known as MarsJoke, a strain which has been linked to attacks on government targets. Ransomware is a particularly nasty kind of malware which has hit the headlines over the past year after targeting victims including businesses, hospitals and universities. What makes the malware strain particularly devastating -- for organizations and the general public alike -- is its ability to take away access to files and content stored on a compromised machine. Once ransomware such as MarsJoke, Cerber or CTB-Locker is downloaded and executed -- often finding its way onto a PC through phishing emails or malicious links -- the ransomware encrypts files and in some cases, full hard drives. Once the victim can no longer access their machine, a holding page informs them that they must pay a "fee" in return for a decryption key which will release their content back to them. Polyglot infects PCs through spam emails which have malicious RAR archives attached. When infecting a machine, this family of ransomware blocks access to files and then replaces the victim's desktop wallpaper with the ransom demand, which is made in virtual currency Bitcoin. Many types of ransomware will simply sit on the machine for the payment to be made. However, Polyglot insists on a payment deadline and if the blackmail fails and no money is sent to the operators, the malware will delete itself -- leaving behind a machine with encrypted files and no way to retrieve them. Until now, at least. Kaspersky's tool will decrypt these machines and unlock user data. According to the security firm, although Polyglot looks similar to the severe CTB-Locker ransomware, the malware uses a weak encryption key generator. On a standard home PC, it takes less than a minute to brute-force the full set of possible Polyglot decryption keys -- which gives you an idea of actually how weak the malware is. This weakness also provided a path for Kaspersky to exploit to create the decryption tool. Anton Ivanov, senior malware analyst at Kaspersky Lab commented: If you are suffering from a different type of ransomware, it is worth checking out the No More Ransom project to see which decryption tools are available to you. The project is a joint initiative between Kaspersky Lab, the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre and Intel Security, designed to help users recover their data without giving into the cybercriminals and paying up. Article source
  21. Typical ransomware behavior usually involves encryption of a user's computer files after they run an executable program, or maybe a Javascript file, in order to lower suspicions. However, a new strain of ransomware goes for the bigger piece of the cake, encrypting an entire hard drive aside from the files themselves. Called Mamba or HDDCrypt, the malware was initially discovered in the Morphus Labs in Brazil. It was also found in machines in the United States and India. According to Renato Marinho, a researcher at Morphus Labs, the malware is believed to be spread through phishing emails and malicious downloads. Once it infects a machine, it overwrites the host computer's Master Boot Record (MBR) with its own variant, and from there, it will now be able to encrypt the hard drive. This would mean that if the computer is opened, the system would not fully load, and it would only display a screen controlled by the Mamba ransomware. It will refuse to boot the PC unless the decryption key is provided, which will set back the user one Bitcoin. It will then use two programs called "dccon.exe." and "mount.exe," which are responsible for encrypting the files on the computer, and all mapped network drives. Via Morphus Labs The ransomware note reads: “Mamba encrypts the whole partitions of the disk,” according to Marinho. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.” While the Mamba ransomware seems to act a lot like the Petya ransomware, which also manipulates the boot process, the former uses free and legitimate tools. It utilizes Netpass, a free network password recovery tool, as well as DiskCryptor, an open source disk encryption utility. As per usual, we advise readers to be careful of the websites that they visit and the files that they download, as malware such as Mamba is always waiting in the wings for its next victim. Source: ThreatPost Article source
  22. HDDCryptor ransomware spread via malicious downloads HDDCryptor ransom screen Researchers have spotted a new ransomware family that attacks a hard drive's MBR (Master Boot Record) and prevents PCs from booting up after encrypting their files. This one's named HDDCryptor (or Mamba) and has been around since January 2016, according to a Bleeping Computer forum topic where users reported their infections. Technically, HDDCryptor was around before the overhyped Petya, and later Satana ransomware families, which got a lot more media attention, and behaved in the same way, by rewriting the MBR and preventing the PC from booting. New wave of HDDCryptor infections Based on available reports, it appears that a recent malware distribution campaign has been delivering a new version of HDDCryptor to users around the world. The first one to (re)detect HDDCryptor was Renato Marinho, a security researcher for Morphus Labs, who said his company was called in to investigate a massive HDDCryptor infection at a multinational, which affected its headquarters in the US, Brazil, and India. Marinho's initial technical analysis was followed a few days later by one from Trend Micro, mostly identical. According to both, HDDCryptor infections start with users accessing a malicious website and downloading malware-laced files on their PCs. These files are either infected with HDDCryptor directly or come with an intermediary malware that delivers HDDCryptor at a later stage, when the crooks are sure they have boot persistence on the infected computer. HDDCryptor uses open source tools to attack and lock PCs The actual HDDCryptor payload is a bunch of binaries all crammed into one. When the big binary is executed, it drops files on the user's computer and launches them in a particular order. HDDCryptor first scans the local network for network drives. It then uses a free tool called Network Password Recovery to search and dump credentials for network-shared folders, past or present. The process continues by launching another open source tool called DiskCryptor to encrypt the user's files found on the hard drive's partitions. This tool is then used in conjunction with the previous scan and passwords to connect to network drives and encrypt that data as well. Ransomware is efficient, some people have paid In the end, HDDCrypter rewrites the MBR with a custom boot loader and restarts the computer, which then gets stuck in a ransom note like the one below. Users are encouraged to contact the ransomware's author via email, where they'll receive the Bitcoin address where to pay the ransom note. Crooks are currently asking for 1 Bitcoin (~$610). According to funds found in one of the Bitcoin addresses shared in these emails, at least four people seem to have paid the ransom fee so far, but there are probably more if crooks used different Bitcoin addresses. Article source
  23. This Ransomware Exposes Users’ Location Data on the Internet If you think that your location data is safe then you are mistaken because there is a new series of ransomware that can post your location data on the internet. The most advanced of them all is the “CryLocker.” Until now we believed that ransomware was supposed to lock or send away the data from an infected computer to the attackers directly or to the command & control servers (C&C) from where it was controlled. But this new breed of ransomware is equipped with diverse capabilities. Ransom note that victim sees once their files are locked What this ransomware do is retrieve your location data from Google Maps and then post the retrieved image on Imgur, a photo sharing community. CryLocker utilizes Portable Network Graphic (PNG) image files to access the victim’s credentials. If the image does not get uploaded on Imgur, the ransomware CryLocker tries to upload it on other websites like paste.org. In case, both these websites fail to upload the location data image, the ransomware relays the information directly to the same IP address 4096 through using UDP port 4444. According to security experts at Malware Hunter Team, the creators of this new ransomware aim to hide their own location and identities with this kind of malware. Moreover, researchers believe that hackers are using UDP protocol to conceal their C&C servers more profoundly. The ransomware also tries to retrieve data such as Wi-Fi point of the target, system’s language and keyboard layout. CryLocker is programmed in a way that it doesn’t activate itself if it identifies the system language to be Russian or from another country that is part of the Commonwealth of Independent States. What would you do if your system became infected with ransomware or someone has hacked your site and demanding ransom? The FBI tell victims to pay the ransom, however, this is not the solution as it only encourages cyber criminals to boost their activities. But keeping a backup will help you big time. Also, Kaspersky and Intel assisted by Europol and Dutch Police recently launched an anti-ransomware website ‘No More Ransom’ in order to assist Internet users against ransomware by recovering their files at no cost to stop them from payment ransom to criminals. To read more technical details on CryLocker ransomware we highly recommend going through in-depth research work from Malware Hunter Team. Source