Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'ransomware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 258 results

  1. Don't touch that email! London uni fears 0-day used to cram network with ransomware Antivirus didn't pick up software nasty, say UCL IT peeps University College London is tonight tackling a serious ransom outbreak that has scrambled academics' files. It is feared the software nasty is exploiting a zero-day vulnerability, or is a previously unseen strain of malware as antivirus defenses did not spot it in time. Eggheads at the UK uni are urged to not open any more email attachments, which may be booby-trapped with the ransomware. The UCL Information Services Division (ISD) said it had locked down access to the shared and networked drives that have been under siege from the malware since it began infecting users around mid-day Wednesday via an email message. "Currently it appears the initial attack was through a phishing email, although this needs to be confirmed," the ISD said. "It appears the phishing email was opened by some users around lunchtime today. The malware payload then encrypted files on local drives and network shared drives. The virus checkers did not show any suspicious activity and so this could be a zero day attack." Both the shared (S) and network (N) storage drive services have been suspended as the university works to stop the outbreak. Service is expected to be restored in read-only mode later this evening, UK-time. The ISD said drives that have already been encrypted by the malware will be restored to their most recent backup once the infection is resolved. In the meantime, the university is warning all students and staff not to open any attachments or click links in emails, and to be wary of suspicious messages from contacts. "It is vital we all maintain a high level of vigilance when opening unexpected emails. If the email is unexpected or in any way suspicious, then you must not open any attachment or follow any link in the email," the ISD said. "Doing so may lead to loss of your data and very substantial disruption to the university." UCL said it will provide an update on the situation tomorrow. ® < Here >
  2. 1: Patch management for clients and servers Keeping current with Windows Updates ensures that your clients and servers will be patched against any known threats. Vulnerabilities that exist in the form of zero-days will not be covered since that is not possible—and yet the WannaCry infection managed to infect more than 150 countries at such an alarming rate, despite a patch having been readily available almost two months prior to the attack. With patch management playing such a crucial role in on-going system protection, there is no end to the tools available to organizations —small, medium, or large—to help ensure that their systems are current. First-party tools available from Microsoft, such as Windows Server Update Services, which is included as a service of Windows Server or Systems Center Configuration Manager (SCCM), can manage patches, from deployment to remediation with included reporting on the status of all managed devices for first- and third-party applications. 2: Security software and hardware appliance updates As stated previously, each organization will have differing needs and resources available to best manage the network and its data. While some commonalities exist, such as firewalls and intrusion prevention systems (IPSes), these devices provide filtering of traffic at the ingress/egress of the network. Alongside firmware updates and signatures, these devices also offer manual configuration to better suit your network's protection requirements. Active monitoring of the health of these devices, along with updating configurations as necessary to match the network's needs, will result in enhancing the network's security posture and help enable the security appliance to stave off attacks. While these devices may not necessarily be Windows-based devices, I included them here because of the real-world benefit they provide in helping to mitigate unauthorized network intrusions and to fend off attacks. 3: Hardening device security Hardening clients and servers is imperative to limit the attack surface from internal or external attacks. The process of hardening a Windows client will differ from a Windows server, in that the aim for their use can vary drastically. By assessing what the devices will be used for, you can determine how the device should be locked down from a security standpoint. Keep in mind that any applications, services, and connected devices that are not needed or that are deprecated (such as the SMBv1 protocol that allowed the WannaCry exploit to proliferate) should be considered a potential attack vector that may be exploited and should be disabled immediately. Microsoft offers the Microsoft Baseline Security Analyzer (MBSA) for clients and servers alike to perform vulnerability assessments for devices and the services that run atop them. It also makes recommendations on how to harden them for the utmost security without compromising services. For newer OSes, such as Windows 10 and Windows Server 2012/2016, MBSA will still work, though it may be used in conjunction with the Windows Server Manager app to identify compliance with best practices, troubleshoot configuration errors, and identify operating baselines used to detect variations in performance, which may be an indicator of a compromised system. 4: Data backup management Let's face it, a computer is only as reliable as the data it works with. If said data has become compromised, corrupt, or otherwise lost its integrity—say through encryption by ransomware—it will cease to be useful or reliable. One of the best protections against ransomware in general is a good backup system. As a matter of fact, several backup systems are better still. Since data can be backed up to several different media at once, an incremental backup to a local drive that you can transport with you, alongside a constant backup to cloud storage with versioning support, and a third backup to a network server with encryption provides ample redundancy so that if your local drive becomes compromised, you still have three possible data sets to recover from. The Backup And Restore Utility native to Windows clients and servers provides a lightweight solution for backing up local data across multiple storage types. Meanwhile, OneDrive offers excellent cloud backup capability. Third-party software to centrally manage data backups across an organization or to/from the cloud is available from several providers as well. 5: Encryption for data at rest and in motion Encrypting data on the whole will not prevent your computer from ransomware infections, nor will it prevent a virus from encrypting the already encrypted data should the device become infected. Be that as it may, some apps use a form of containerization to sandbox data that is encrypted, rendering it completely unreadable by any process outside the container application's API. This is extremely useful for data at rest since it prevents outside access unless it's through the designated application. But it does nothing for data in motion or data that is being transferred over the network. In cases where transmission is required, the de facto standard is virtual private networking (VPN), since it creates an encrypted tunnel by which to send/receive data to/from, ensuring data is protected at all times. 6: Secured network infrastructure configurations Unfortunately, the network is often set up and configured during the installation period of new hardware and then it's left to operate unchecked until something fails. Networking equipment, including routers, switches, and wireless access points, require updated firmware and proper configuration, along with proactive monitoring to address trouble points before they become full-blown issues. As part of the configuration process, an optimized network will be set up for Virtual LANs (VLANs) or segment traffic and should be managed to ensure that data gets where it needs to go in the most efficient manner possible. Another security benefit of VLANs is the ability to logically quarantine malicious traffic or infected hosts so that they can't spread the infection to other devices or parts of the network. This enables administrators to deal with compromised hosts without risk of spreading the infection or to simply shut down the specific VLAN altogether to effectively cut off the device(s) from the internet until remediation has occurred. 7: Network, security, acceptable use, and data recovery policies Policies are often used by larger organizations to enforce compliance with rules and regulations by their employees. However, besides being a document that dictates the rules of the workplace, policies can also serve as guidelines for end users to follow before an attack takes place and as a survival guide during and after an attack occurs. While policies do not inherently stop malware at a technical level, if written properly they can address known issues or concerns with respect to data security and arm employees with useful information that could prevent an infection from spreading. Policies may also direct them to provide feedback to IT support to remedy a reported issue before it becomes a larger problem. Policies should always be considered "drafts" in a sense. Technology is dynamic and ever changing, so the policies that are in effect must change too. Also, be mindful of any restrictions or regulations that may apply to your field. Depending on the industry, writing policies can get tricky and should be addressed with management (and perhaps legal) teams for accuracy and compliance. 8: Change management documentation As with instituting policies, there is no direct correlation between documenting change management process (or recording all changes to clients/servers, including patch deployment, software upgrades and baseline analyses) and preventing ransomware outright. However, detailing changes made to systems configurations, along with the other measures previously listed, can have a profound effect on IT's ability to respond to threats proactively or reactively. Furthermore, it allows for adequate testing and measurement of results that any changes made to systems has on services provided and uptime availability. Lastly, it offers a record of the changes made (alongside their results), which administrators, contractors, and other support personnel can review to determine the cause of some issues or possibly address their recurrence in the future. For a comprehensive set of documentation to be useful, you need input from various support teams—including systems and network administrators, help desk staff, and management—to create a documentation process that is effective yet simple to follow and easy to manage. 9: End-user training Never underestimate the value of proper training for all staff, not just IT. Protecting against malware is not solely IT's job. It's everyone's responsibility since it affects everyone and can be essentially brought on by anyone at the organization. Considered a preventative measure, training that focuses on identifying possible malware attacks, such as phishing, can be an effective tool in preventing malware campaigns against your organization from compromising sensitive data. End-user training should center not just on identifying malware attack attempts, but should also target mitigation techniques that users can take to prevent or slow down infections should they suspect their computers have been compromised. Finally, no training is complete without informing users about the organization's expectations with respect to their responsibilities on reporting issues the instant they spot something out of the norm. 10: Risk management assessments The aim of a risk assessment (RA) and risk management (RM) process is to identify internal and external threats (also called hazards) and the equipment and services that are affected by them, as well as to analyze their potential impact. The management portion of RA involves evaluating this data to prioritize the list of risks and identify the best plan of action in mitigating them. RA and RM can help you pinpoint the trouble spots and implement an ongoing plan to prevent these issues from negatively affecting your organization. At the very least, RA/RM allows IT to focus its efforts on aligning the company's resources with the devices that pose the greatest threat if compromised, such as mission-critical systems. This process enables IT, management, and compliance/regulation entities to best determine the path forward in identifying equipment, mitigating hazards, determining the order in which to resolve threats, and evaluating the assessment itself so that procedures can be updated and corrective actions modified as risks change over time. Article
  3. Bitdefender 2017 Build 21.0.25.92 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/76152-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.92 This version fixes the following issues: • Bitdefender Device Management would fail to connect with Windows KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.92 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.92 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.92 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Checksum - 30 May 2017 Offline Installer Update: bitdefender_ts_21_32b.exe (application/octet-stream) - 361535368 bytes MD5: 7953aad2edffcfcb19ed2eb4873627a7 SHA-1: 28c8aacf2aeb45345e8c9cdf34498dd8b0b5e1f0 SHA-256: 2da353fb0074db3fa0fd30c598e90817b3e43a85b4ff2fff9890636e97d1c2c4 SHA-384: c33279fd5c06f9a0e357e1e542a83f2964c84f409c419f59a8144c16fa73af539909b26928285ddf2f68c14702778245 SHA-512: ea2a46c91ebfdeade38d9da8cf53b33f3b1407ea83d18e0b5c20185820510b4c6a00ef4b15746599f9aef3dc34039c8f352ee1a32c052e5c3c1552a281c749ae bitdefender_ts_21_64b.exe (application/octet-stream) - 387255184 bytes MD5: f9cf114359ad76ad95216b43b722a016 SHA-1: 24c67202d6a92d488111aca6952b5b3d2d0a9822 SHA-256: 607999fb8be6a6d3322922548007258d19bdd2e046812ad47bde3186f66801ef SHA-384: a0597b34674815703d3ba192582e297fdbe830bed3faff85ddb1e295879390e5b1d6a2339986fae9a401d13affdd27ac SHA-512: d82fe9b728c14dd3685d52fff2d2e58acaf522f4e71a60cb36b95dda178348f60448b47509ebee5782d1f5cb12d6ff4237b404bc8f1fb024dcf976badd3717ea Bitdefender 2017 Offline Installation Guide:
  4. A self-proclaimed member of the Anonymous hacker collective is behind a campaign to spread the Houdini RAT and is currently looking into deploying the MoWare H.F.D ransomware. The name of this "hacker" is Mohammed Raad, according to his Facebook profile, but he also goes online by the nickname of "vicswors baghdad," according to his Facebook, Twitter, Google+, and YouTube profiles. While there are countless of people who download and fool around with malware kits, Recorded Future claims this actor took it one step further by launching real-world campaigns. Recorded Future: Raad behind some Houdini campaigns Raad's actions would have gone unnoticed if he wouldn't have weaponized and started distributing Houdini (or H-worm), a VBScript-based RAT that was created and first spread in 2013. His biggest mistake was by using PasteBin to store the RAT's main body, a VBScript file. Because threat intelligence firm Recorded Future regularly scrapes and archives PasteBin uploads, his actions were uncovered earlier this month, after experts observed an overall increase in VBScripts posted on online paste sites. Analyzing this surge, experts realized that most of the scripts were the Houdini VBScript. Analyzing the data, they identified three spikes of activity in August 2016, October 2016, and March 2017. Recorded Future experts believe an infected computer would download the VBScript from the paste site, which would later connect to a C&C server and gain persistence on the infected host by setting up a local folder and registry key. Raad registered a C&C domain under his real name To find more details on who was behind this surge in VBScripts on paste sites, researchers took a look at all the C&C server URLs found inside the Houdini scripts. This search identified C&C servers hosted on 105 subdomains for dynamic DNS providers (ddns.net, no-ip.com, etc.), but also one clear net domain. That domain was microsofit[.]net, which was registered by Raad. At this point, researcher realized that many of the other 105 dynamic DNS subdomains were variations on this actor's name, either using Raad or the word Mohammed in the subdomain name (mohammadx47.ddns.net; mohamedsaeed.ddns.net; etc.). It didn't take long for researchers to find Raad's social media profiles, where they found his affiliation with the Anonymous hacker collective, inclination for dabbing in malware, and messages through which he entered promotions for the dynamic DNS services he used in the C&C server infrastructure. Raad is playing around with ransomware Furthermore, they found comments made by Raad on a YouTube video advertising the MoWare H.F.D ransomware, asking the author for a copy of the ransomware package. A few days later, Raad posted an image on Facebook showing the MoWare ransomware source code, implying that he received a copy, and was currently editing the code. There is no evidence the author released his ransomware in the wild. Raad's social media profiles suggest he's an Iraqi national living in Munich, Germany. Raad did not respond to a request for comment from Bleeping Computer in time for this article's publication. Other actors leveraging paste sites According to Recorded Future experts, malware authors are increasingly abusing paste sites as cogs in their malware distribution campaigns. A day before the report unmasking Raad's activity, Recorded Future experts uncovered the activity of another crook, going by the name of Leo and wzLeonardo. Experts say Leo was using a VBScript hosted on Pastebin that when executed would install the njRAT remote access trojan on the victim's computer, while also downloading encrypted RAT encrypted strings stored on HasteBin, another paste site. Recorded Future believes Leo is based either in Brazil or Tunisia. Source
  5. Microsoft remains a strong brand despite WannaCry Many blamed Microsoft for the recent WannaCry ransomware fiasco, claiming the software giant should continue providing support for Windows XP and deliver patches for all Windows versions faster, but despite all this criticism, Microsoft remains a well-loved brand. Or at least, this is what a new survey conducted by Morning Consult reveals, with 83 percent of the respondents still viewing the brand favorably a week after the WannaCry outburst started. There are indeed 57 percent of users who said they were concerned about Microsoft products in the future after WannaCry, but on the other hand, 22 percent of them said they weren’t too concerned despite the risks of getting infected. 8 percent pointed out they weren’t concerned at all. The good news for Microsoft is that 39 percent of the people who participated in the survey claimed they still planned to buy Microsoft products, while only 25 percent said they would have second thoughts when facing such a decision. Windows 7, biggest victim of WannaCry Furthermore, a total of 8 percent of the respondents say they are “much more likely” to purchase Microsoft products in the future given the quick reaction of the company to the ransomware, while another 9 percent explained they are “much less likely” do it. “The strength of Microsoft’s brand leaves it largely unscathed by the recent security issue — unlike its tech industry peer Yahoo Inc. After disclosing its own data breach, Yahoo’s favorability fell 10 percentage points, polling shows,” Morning Consult says. “Safety appears to be a top priority for people: Most of those surveyed say they are quick to download the latest security updates and have various passwords across platforms.” For what it’s worth, Windows XP wasn’t the biggest victim of the WannaCry ransomware, but Windows 7, which actually got patches from Microsoft earlier this year on Patch Tuesday. This means that most of the systems that were infected were actually outdated, either due to pirated licenses or because system administrators blocked updates from installing because of various reasons. Source
  6. According to a linguistic analysis of the WannaCry ransom notes, the ransomware appears to be the work of a Chinese-speaking author, according to Jon Condra and John Costello, two Flashpoint researchers. After analyzing each of WannaCry's localized ransom notes, available in 28 different languages, the two feel pretty confident the ransom note was written by persons fluent in Chinese, but also in English. Two ransom note templates discovered: English & Chinese In fact, researchers say that there appear to be two ransom notes at the base of all other WannaCry notes. There is one written in Chinese, and one in English, which was used as the template for the other ransom notes. Flashpoint researchers say that if someone would be to take the text of WannaCry English ransom note and pass it through Google Translate, he'd get translations that are on average 95% identical with the ransom notes found in the real WannaCry package. This has led researchers to believe that the WannaCry author — or authors — have used the English note as a boilerplate for the other languages, except Chinese. This is because Google Translate yields better translations from English to other languages. On the other hand, translating between other languages gives many errors and inaccurate translations. WannaCry Chinese ransom notes are different from the rest But the reason why Flashpoint researchers believe WannaCry is the work of a Chinese-speaking user is because of the two Chinese ransom notes — Simplified and Traditional — which are lengthier, differ in format compared to the English version, and are written by a person knowledgeable of the intricacies of the Chinese language. Below are the key findings of the Flashpoint research: On the other hand... So there you have it. It's now up to you to decide if you believe the North Korean attribution angle, or this new theory hinting that a Chinese-speaking user/group was behind the ransomware. WannaCry ransom notes support the following languages: Source
  7. WannaCry - close to 400 samples found in the wild WannaCry is one of the worst malware out there, mostly because it mixes a ransomware element with a worm component that helped it spread like wildfire. So far, close to 400 malware samples have been discovered in the wild. Security researchers from Trustlook have announced that, by their count, 386 WannaCry malware samples have been recorded to date. Despite there being just a little over a week since WannaCry hit the news, infecting some 300,000 devices in 150 countries, hackers seem to have flexed their muscles quite a bit. As you know, WannaCry uses two NSA-hacking tools disclosed after hacker group Shadow Brokers dumped classified documents online. EternalBlue is a tool that takes advantage of a Windows vulnerability, while DoublePulsar helps it spread through networks. The Windows vulnerability has since been patched and users are advised to update their systems if they haven't done so until now, as well as to install a security solution on their devices. It is believed that the original WannaCry infections didn't stem from someone carelessly falling for a phishing email scheme, but rather from the attackers scanning for open ports. As mentioned above, Microsoft has released a patch and created one even for Windows XP, which had been discontinued and was no longer receiving security updates. It was believed that many of those infected were actually using XP, but later data shows that the truth was quite far from that and that most of the devices that fell prey to WannaCry were running Windows 7. The long list of consequences The NSA dump has quite a lot of consequences and they're only going to be more apparent. WannaCry was just the start, complete with its 386 samples. A new worm was discovered by researchers, called EternalRocks, which uses seven NSA hacking tools, compared to two used by WannaCry. Thus far, EternalRocks has not been weaponized with any type of malware, trojan and so on, but this can be done at any time. Source
  8. I think everyobdy knows now that what's going on in the world by the name of wanacry. My friends have been the victims of this too. So just wondering if there're more here? And also if some can can help prevent it? Tips?
  9. Ransomware decrypts Taiwanese netizen's computer due to his low income Netizen e-mailed the help line of ThunderCrypt because he couldn't afford the ransom TAIPEI (Taiwan News) --On May 4, a Taiwanese netizen emailed the helpline of ThunderCrypt ransomware after his PC got infected, and said that he only makes $400 monthly, and he couldn't afford the 0.345 bitcoin he was asked to pay. He later got decrypted by the helpline because they thought they have largely overestimated the nation's income. A Breaking News Commune (爆料公社) member posted images of email correspondence between a netizen and an apparent representative of the ransomware ThunderCrypt on May 15. The netizen was asked to pay 0.345 bitcoins after the ransomware locked down all the files on his infected computer, he wrote an email to the customer service with title “I only make US$400 a month, you really wanna do this to me?” saying that he could not afford the ransom to decrypt his computer. ThunderCrypt responded to his message and told the netizen that they have switched it to decryption mode and will start to unlock his computer automatically soon. It also admitted that their Taiwanese campaign was a failure because they “largely overestimated” the average income of the nation. On Friday May 12, a similar ransomware was launched called WannaCry, also known as Wanna Decryptor or wcry, which affected more than 100,000 organizations in 150 countries with Taiwan among the top targets.
  10. Master Keys for Wallet Ransomware Posted to BleepingComputer Forums (May 18, 2017) Decryption keys for Wallet ransomware have been posted to the BleepingComputer online forums. It is not clear exactly why the malware creators have released the keys. The ransomware family of which Wallet is a part often releases keys when it has switched to a new extension. The attackers may also have surmised that they are not going to make any more money from that particular variant. Source
  11. Numbers released by Kaspersky Lab on Friday reveal that over 98% of all documented WannaCry infections were running versions of the Windows 7 operating system. Out of all Windows 7 users, the worst hit were users running Windows 7 64-bit edition, accounting for more than 60% of all infections. The second and third most targeted OS versions were Windows Server 2008 R2, and Windows 10, respectively. So! XP wasn't to blame after all The statistics come to disprove popular belief that WannaCry hit mostly Windows XP machines. "The Windows XP count is insignificant," said Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab. To infect all these computers, the WannaCry ransomware used an SMB worm that spread on its own to new computers that ran vulnerable SMB services. That SMB worm was powered by an exploit named ETERNALBLUE. The exploit is part of a collection of hacking tools a group of hackers calling themselves The Shadow Brokers have stolen from the NSA and leaked online in April 2017. ETERNALBLUE never worked properly on XP, only on Windows 7 Initial analysis of ETERNALBLUE revealed the worm could run on platforms from Windows XP up to Windows 8.1 and Server 2012. It was during the WannaCry outbreak that researchers discovered the worm only worked reliably on Windows 7, causing errors on other platforms, including Windows XP, on which most infosec talking heads falsely blamed for most WannaCry infections. Following this discovery, a user has patched the ETERNALBLUE exploit to work without errors on 64-bit editions of Windows 8/8.1 and Windows Server 2012. Currently, WannaCry's worm modules are still searching for new victims. The latest tally of computers that have been touched by this worm is 416,989, albeit not all computers have had their files encrypted, as WannaCry's ransomware payload has been defanged by a clever British researcher. Bleeping Computer has reached out to Kaspersky Labs to inquire on why we see Windows 10 machines in the chart, and any possible scenarios that WannaCry could have used to infect those systems. Article source
  12. Windows XP still has a market share of 7 percent The WannaCry ransomware outburst that started last week compromised a total of 1,500 Windows XP computers at NHS Scotland, Health Secretary Shona Robison revealed, adding that the organization still has some 6,500 PCs running the unsupported operating system. Speaking about the outcome of the WannaCry attack, Robison explained that systems running other versions of Windows were also compromised, including many powered by Windows Server 2003. “At the moment we understand mainly Windows 2007 and Windows 2003 devices were affected and only a small number of Windows XP devices were affected,” Robison said in a statement. “I know Windows XP has been an issue raised within the media. What I can say about that is there are approximately 6500 XP devices out of around 153,000 total devices, less than 5%.” No patient data exposed On the other hand, authorities in Scotland explain that no breaches of patient data were experienced and no information was stolen as part of the attack, as hackers only demanded a ransom payment to restore access to files. Robison went on to explain that the government is currently working on plans to prevent similar infections in the future, without revealing whether an upgrade from Windows XP to a supported operating system is planned or not. “Reviews are already underway to capture what can be improved to ensure that we reduce the chances of a similar attack happening in the future,” she said. Windows XP was launched by Microsoft in 2001 and no longer receives support since April 2014. XP was one of the versions targeted by WannaCry, with Microsoft itself deciding to roll out a patch, despite the operating system being unsupported, to prevent the ransomware from exploiting a known vulnerability in the OS. At this point, Windows XP has a global market share of 7 percent, but after the WannaCry fiasco, more users are likely to migrate to a newer operating system as soon as possible. Source
  13. The NHS has been hit by a major cyber attack, with hackers demanding a ransom. Hospitals are understood to have lost the use of phonelines and computers, with some diverting all but emergency patients elsewhere. At some hospitals patients are being told not to come to A&E with all non-urgent operations cancelled. Several hospital trusts and GP surgeries are reporting problems, but the full scale of the problems is not yet known. NHS hospitals across the North, East and West Midlands, and London are reporting IT failures, in some cases meaning there is no way of operating phones or computers. At Lister Hospital in Stevenage, the telephone and computer system has been fully disabled in an attempt to fend off the attack. Patients have been told not to come to A&E and all non-urgent appointments and operations have been cancelled. East and North Hertfordshire NHS trust said in a statement: “Today the trust has experienced a major IT problem, believed to be caused by a cyber attack. “The trust is postponing all non-urgent activity for today and is asking people not to come to A&E - please ring NHS111 for urgent medical advice or 999 if it is a life-threatening emergency. “To ensure that all back-up processes and procedures were put in place quickly, the trust declared a major internal incident to make sure that patients already in the trust’s hospitals continued to receive the care they need.” Health officials are understood to have declared a major incident and ordered a meeting of national resilience teams. NHS Digital said: “We’re aware that a number of trusts that have reported potential issues to the CareCERT team. We believe it to be ransomware.” There are reports that trusts affected include East and North Hertfordshire, North Cumbria, Morecambe Bay hospitals, Blackpool, and Barts Health in London. A number of GP surgeries also say they are also unable to use their systems. One source told Health Service Journal that multiple trusts had been affected by a suspected malware attack around 1.30pm. They said trusts had their computer systems almost entirely shut down. Services affected are thought to include picture archiving communication systems for x-ray images, pathology test results, phone and bleep systems and patient administration systems. The source added: “This will mean delays and a focus on the sickest patients. I’ve seen it once before and we relied on local trusts supporting each other. If truly widespread then that’ll not be an option.”
  14. A new strain of ransomware has recently been discovered, which employs old tactics by cybercriminals, but still takes advantage of the rapid rise of the value of Bitcoin. Dubbed "Jaff", the malware was detected by MalwareHunterTeam. It was found to be distributed via the Necurs botnet, which is an infamous distributor of malware like Locky, which it closely resembles. Like many ransomware, it employs the classic technique of sending spam emails that are designed to look important to the receiver. Macro used as decoy by cybercriminals | via Malwarebytes Labs A PDF file will be downloaded, which will subsequently open a .docm Word file. At this point, the document will ask the receiver to click "Enable Content" to reveal the message. However, doing so will start the file's dirty work. According to BleepingComputer, it will begin to gather information about the user, and then execute a number of files. Moreover, once the Jaff installer is executed, this will start the encryption process, which will lock a large number of files, appending ".jaff" to all of them, preventing proper access. Once this process is done, a lock screen will be displayed, asking victims to go to a Tor website to find out how they can decrypt their files. The ransomware is demanding for 2 bitcoins, which is currently equal to roughly $3,600. Unfortunately, in an analysis conducted by Fabian Wosar of Emsisoft, there is no known way of decrypting infected files without paying a ransom. Many ransomware variants are known to exploit Word/Excel macros, as cybercriminals can easily make receivers believe that a sensitive document has been sent to them, making it easy to enable the content and launch the doom within. Despite this, this ransomware is a good reminder to be careful of our activities on the internet, as cybercriminals are now getting more creative to trap victims, aiming to drain them of their hard-earned money. Source
  15. Updated systems have the patches to block the ransomware, Microsoft says WannaCry is becoming the largest ransomware infection in history with attacks now expanding from Europe to the United States, but Microsoft says that users who are running a fully up-to-date Windows 10 system with Windows Defender running the latest virus definitions are completely secure. The infection has already made lots of high-profile victims in Europe, including the British National Health System (NHS) and other organizations in Spain, and exploits seem to be based on a leaked NSA vulnerability that reached the web last month. At that point, security experts warned of imminent attacks on Windows systems due to what it seemed to be unpatched zero days in the operating system, but Microsoft played down all these claims saying that users running the latest patches were fully secure. The same is happening this time as well, as Microsoft says that Windows users (regardless of their Windows version as long as they’re still supported – so Windows 7, 8.1, or 10) with the most recent updates installed (May 2017) and with the latest Windows Defender virus definitions are not vulnerable to attacks launched with this new form of ransomware. Windows XP users completely vulnerable On the other hand, WannaCry can still make millions of victims due to the fact that Windows XP and Windows Vista are still running on a hefty share of desktops out there, with both operating systems no longer receiving updates and security patches from the company. Third-party market share data puts Windows XP at nearly 7 percent market share, and the NHS itself has previously been criticized for still running this unsupported Windows version on its systems. Updates for Windows XP are no longer released since April 2014. The WannaCry ransomware locks down computers and requires a ransom of $300 in Bitcoin. The attacks are believed to be based on a vulnerability discovered by the NSA and which was leaked to the web by Shadow Brokers last month. Once again, it’s critical for both home users and organizations to bring their systems fully up-to-date as soon as possible, especially because the number of attacks is growing with every minute and is now expanding to new regions. Source
  16. Amnesia ransomware has a decryption tool now A new decryption tool for ransomware victims has been released, this time for those affected by the Amnesia Ransomware. Over the weekend, Emsisoft announced they had a new decryptor ready for Amnesia, a ransomware that was spotted just earlier this month. According to the company's CTO and malware researcher Fabian Wosar, the malware has had another variant released called CryptoBoss. This new family of ransomware was named Amnesia based on the extension that gets added to encrypted files by the first variant (.amnesia). The CryptoBoss variant has yet to get a decryptor, but researchers are working on it. Amnesia victims, however, are lucky to get this tool to use. The ransom note can be found in each folder that holds an encrypted file. "HOW TO RECOVER ENCRYPTED FILES.TXT" is the name of the file which contains a personal ID, which should be included in an email sent to a certain address included in the file. How does it work? In order to decrypt your files, you need to download the decryptor first. In order for the decrypter to work, you need both the encrypted and unencrypted file and drag and drop them on the executable. A good way to find a pair of files to use is to look for the sample pictures found in the default Windows folders. It may take a while until the decryptor discovers the key that was used to encrypt all the files, but it can then be used to fix all the files on your computer. The decrypter will automatically display a list of drives that will be decrypted and if there are any left out, you can add them on your own. Once everything is there, you can click the Decrypt button to start the process and you'll see each file get listed as it gets fixed. The encrypted files may still be on your computer, so you'll have to make sure you've already properly decrypted all the files before removing or archiving the affected files. Source
  17. A new Ransomware-as-a-Service has become available on the Dark Web, named FrozrLock, available for only $220, and advertised under the tagline of "great security tool that encrypts most of your files in several minutes." Bleeping Computer received a tip about FrozrLock’s existence from security researcher David Montenegro, and with help from Avast security researcher Jakub Kroustek, we were later able to tie it to previous ransomware infections as early as April 16. “First detections were from Russia, without making any conclusions about its origin,” Kroustek said in a private conversation. “[It was] spreading via JS downloaders named as Contract_432732593256.js,” he said. At the time, the ransomware had no name, but we called it AutoDecrypt in the Weekly Ransomware round-up of that week, based on the name of its decrypter. In the meantime, more details have surfaced. Below is the homepage of the FrozrLock RaaS in full. Based on the details listed on the homepage, we extracted the following FrozrLock features (not confirmed): Coded in C# Multi-threaded Supports .NET > 4.5 Automatically deletes loader after infecting victim Doesn’t alter file extensions Self-deletes after payment was received All ransomware builds are obfuscated on the RaaS server and offered for download to customers Tor-based control panel Customers get unlimited rebuilds Ransomware uses unique keys for each encrypted file Can use Twofish256, AES256, and RSA4096 encryption Wannabe crooks that had their interest piqued by this offering must register on the site to gain access to an account. Once they’ve created an account, they’re granted access to the ransomware’s web-based builder interface. To use the builder and produce a fully-working ransomware, clients must buy a license, currently worth 0.14 Bitcoin (around $220). The ransomware’s evolution is also recorded in a professional-looking changelog. The homepage lists the FILE FROZR name, but once users register and buy a license, the dashboard displays the FrozrLock name instead. Below is an image of the FrozrLock customer dashboard where customers can monitor infections. FrozrLock decrypter - auto FrozrLock decrypter - manual FrozrLock decrypter - alternate manual A typical ransom note shown by a FrozrLock ransomware variant looks like the image below. FrozrLock's author(s) declined to comment for this article. SHA256 hash: 2aa4c7708a49a6f1f462f96002dd2ce6fd27c7daf69647162116919b2df5abcd Source
  18. Bitdefender 2017 Build 21.0.25.84 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/75881-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.84 This version fixes the following issues: • Rare issue where the Virus Shield would report a invalid current state 0 • Rare issue where the interface would go transparent while connected via RDP • Firewall crash caused by late BFE startup • Widget not saving its position after reboot The following improvements were included: • Added support for Korean and Vietnamese • Product interface fixes and improvements • Interface functionality • Rescue mode changed to Rescue Environment under Windows 10 • SafePay's ability to handle foreign languages • FileShreder engine functionality • Event engine functionality • Update engine functionality • Agent's functionality • Wallet's compatibility with several websites • Wallet's ability to handle browser extensions • Product stability KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.84 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2017 Offline Installation Guide:
  19. Bitdefender 2017 Build 21.0.25.80 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/75881-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2017 Bitdefender Internet Security 2017 Bitdefender Antivirus Plus 2017 Platform: x86, x64 Version: 21.0.25.80 This version fixes the following issues: • Rare issue where the Virus Shield would report a invalid current state 0 • Rare issue where the interface would go transparent while connected via RDP • Firewall crash caused by late BFE startup • Widget not saving its position after reboot The following improvements were included: • Added support for Korean and Vietnamese • Product interface fixes and improvements • Interface functionality • Rescue mode changed to Rescue Environment under Windows 10 • SafePay's ability to handle foreign languages • FileShreder engine functionality • Event engine functionality • Update engine functionality • Agent's functionality • Wallet's compatibility with several websites • Wallet's ability to handle browser extensions KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2017 21.0.25.80 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2017 Offline Installation Guide:
  20. Trustlook says a big part of ransomware victims pay the fees About 40% of ransomware victims pay to get their devices unlocked as more and more people get affected by such schemes. According to a new research from cybersecurity firm Trustlook, it's not just businesses that are threatened by ransomware, but also random, regular Internet users. The latter, it seems, are easier targets and have fewer resources than major companies to combat criminals, which is why they are the most likely to comply with the demands of these cyber criminals. Trustlook's report indicates that about 17% of consumers have, by this point, been infected with ransomware. 38% of all affected consumers have chosen to pay the ransom, which regularly ranges between $100 and $500, most often than not expressed in Bitcoin. On the other hand, those who have not yet been affected by ransomware present a tough stance, as only 7% say they would pay the fees. The unknown danger Despite the growing popularity of ransomware among cybercriminals who see it as a way to make a quick buck, nearly half of all consumers have not even heard of ransomware before. Furthermore, 48$ of consumers aren't even worried about becoming a victim of a ransomware attack. On the upside, people seem to be cautious with their data, backing up the files on their computer or mobile device, with only 23% of consumers forgoing this detail. "Backup your data to multiple devices, at to at least one device that is not connected to a network. Also, be cautious of emails by checking the sender's email address before clicking any link," says Allan Zhang, co-founder and CEO of Trustlook. His advice comes in perfectly, especially since most ransomware is spread via email phishing schemes. When it comes to mobile ransomware, installing apps from the main app stores instead of going to third-party stores should do the trick. While some infected apps sometimes pass under the radar of Google, for instance, the instances are rare. Source
  21. Cybercriminals behind the Locky ransomware and Necurs botnet are back in business. Last Friday researchers spotted both delivering nearly 35,000 emails in just a few hours, the first major Locky campaign researchers have seen in months, according to Cisco Talos. Researchers warn the latest Locky campaign is borrowing effective techniques from the credential-stealing malware Dridex, which has become adroit at outsmarting sandbox mitigation efforts. “The payload hasn’t changed but the methodology has,” wrote Cisco Talos researcher Nick Biasini in a research blog published Friday. “The use of PDFs requiring user interaction was recently seen by Dridex and has now been co-opted into Locky,” he said. Last year, Locky behind a series of massive spam campaigns that targeted hospitals with either malicious Word or JavaScript attachments. By December, Cisco reported, Necurs and Locky activity had gone silent. “This could be the first significant wave of Locky distribution in 2017,” according to Biasini. The specifics of the campaign include two variants of emails sent to recipients. One email has no text in the body of the email. In another variant, emails include text consistent with what you might expect from an email that contains payment invoices, receipts or scanned images, according to Baisini. In both cases, subject lines include either the word “Payment” and “Receipt” proceeded by “#” and numbers – for example “Receipt#272”. Filenames of the malicious attachments are customized based on recipient’s email address. Emails include a malicious PDF document with an embedded Word document inside, researchers say. Once opened, the PDF asks the victim for permission to open a Word document. That Word document then asks victims for permission to run an XOR’d Macro that pulls down a malware dropper file. Once Locky is downloaded it encrypts files on the host computer. “The technique used by the adversaries to deliver Locky was just recently used to deliver Dridex and made use of PDF document with embedded Word documents. These Word documents then use macros to pull down the Locky sample and encrypt files. There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies,” Biasini wrote. For a time PDF based compromises were down and Word macro-based compromises were up, Biasini said. “In this campaign they figured out how to disguise a macro-laden Word doc in a PDF, compromising victims around the globe,” he wrote. The latest wave of Necurs activity represents a departure for the botnet which has traditionally been focused on pump-and-dump stock ploys, Russian dating spam, and work-from-home scams, according to the report. Once systems are infected, there is nothing remarkable about how attackers extort money from victims, Biasini wrote. Post infection, the Locky sample used the “/checkupdate C2” structure, previously used by Locky. Attackers demand 1 bitcoin to decrypt files (currently $1,200) which is payable via a TOR Browser-accessible website. “This is an effective technique to defeat sandboxes that do not allow user interaction and could increase the likelihood of it reaching an end user’s mailbox,” Biasini wrote. Source
  22. Google has removed a feature of the Android operating system that has been used in the past in ransomware attacks. Starting with Android O (8.0), set to be released in the fall of 2017, Google plans to deprecate the following window types: TYPE_SYSTEM_ALERT, TYPE_SYSTEM_ERROR, and TYPE_SYSTEM_OVERLAY. These are special "system" windows that are shown above any app on the user's screen. As you'd imagine, this is highly valued realty for ransomware developers, who often aim to obtain permissions to show content via these windows. Once they manage to obtain such permission, they use these windows to block the user's access to the rest of his phone and show ransom notes. Google's anti-ransomware efforts sabotaged by OEMs Starting with Android Marshmallow (6.0), Google reclassified the permissions of these system windows to the "Above dangerous" class. Previously, Android had only two permission classes: Normal and Dangerous. The difference between the two is that the Android OS itself can grant apps access to Normal permissions (adjusting timezone, access mundane sensors, etc.), while the user has to grant access to Dangerous permissions himself. For Above Dangerous permissions, requesting apps can provide instructions and the user has to go to an Android settings section, on his own, to grant access to the SYSTEM_ALERT_WINDOW permission, similar to how permissions are granted for Accessibility features and Device Administrators, also two other features often abused by ransomware. Dinesh Venkatesan, Principal Threat Analysis Engineer, says this didn't actually stop Android malware and ransomware authors, who just found various workarounds to get that permission. It also didn't help that certain Android phone manufacturers didn't move this permission in the Above Dangerous category in their modified Android distributions, nullifying Google's work. Google adds button to shut down abuse apps Now, with Android O, for which Google released a developer preview at the end of March, Google has taken this choice away from OEMs and has deprecated three types of system windows often used by ransomware authors. This means ransomware authors will need to find new ways of showing ransom notes and locking users' screens. And to make things even safer, Google is now allowing users to shut down apps that show other types of system windows. Starting with Android O, when ransomware or other malware attempts to lock users via a system window, the user can pull down the Notifications panel and shut down the app that's locking him out of his phone. New button to shut down apps with annoying system windows, at the bottom of the Notifications panel [via Symantec] "It should also be noted that while the new OS features should prove to be a good defense against ransomware variants that use system alert windows, they will not affect other ransomware threats such as those that constantly pop up the lock screen using user level windows," Venkatesan pointed out. Nonetheless, despite these improvements, Google's own Android Security Report showed that malware devs usually target older versions of the Android OS, where these improvements aren't supported. It also helps that there are more devices running Android 4.x and 5.x, less secure Android versions, compared with 6.x and 7.x, meaning malware devs don't have to go through all the trouble to bypass Google's new security features to make profits. So for the time being, ransomware is going to remain a problem on Android, but most likely for users of older OS versions. Last year, with the release of Android Nougat (7.0), Google also added anti-ransomware improvements, by restricting the ability of malware to "programmatically" change device PINs and passwords. Source
  23. The Cerber ransomware family has risen to take Locky's place at the top of the ransomware mountain after new Locky versions stopped coming out last year, and spam operations spreading Locky have slowed down to a trickle in 2017. Cerber's rise to the #1 spot is backed up by a flux of new versions that have been released this year, including one that includes some features that allow it to evade security products that rely on behavioral analysis and machine learning. Furthermore, while Locky and TeslaCrypt, 2016's undisputed leaders, were distributed by one group, Cerber has adopted the RaaS model and relies on the greed and money hunger of different groups to keep its distribution going. Backend panel for Cerber ransomware RaaS [Source: David Montenegro] The constant stream of Cerber versions, the RaaS model, and the Necurs botnet dropping Locky and switching to other payloads, has allowed Cerber to rise well above other ransomware distributions. According to the Malwarebytes "Cybercrime tactics and techniques" Q1 report, Cerber is nearing 90% in terms of ransomware distribution, very close to the all-time dominant position that TeslaCrypt had in May 2016, just before it voluntarily shut down. Ransomware distribution in the first months of 2017 [Source: Malwarebytes] But while the chart above shows distribution numbers, not all of those are infections. A similar chart is provided below by the team at ID-Ransomware, which relies on infected users that are trying to identify the name of the ransomware that has infected their computer. This chart, covering the last ten days, also shows Cerber dominating other ransomware families, such as Spora, Shade (Troldesh), Locky, and Sage. Ransomware infections in the last 10 days [Source: MalwareHunterTeam] Statistics from Microsoft, also show Cerber as the primary ransomware infection on enterprise endpoints, taking up over a quarter of all ransomware infections. Ransomware encounters on enterprise endpoints [Source: Microsoft] Right now, Cerber may be dominating, but if history teaches us anything, is that this won't last long. Either the Cerber crew will shut down their operation on their own (like TeslaCrypt), or they'll move to a new business model (like the Locky/Necurs crew), or they'll end up under arrest (like BitCryptor/CoinVault). Nonetheless, they'll also be another ransomware family waiting in the shadows to take Cerber's place. Right now, that ransomware seems to be Spora. Below are the results of a new study on ransomware awareness published today by Trustlook: 48% of consumers are not worried about becoming a victim of a ransomware attack 17% of consumers have been infected with ransomware 38% of affected consumers paid the ransom $100-$500 was the dollar range of ransomware payouts by consumers 45% of consumers have not heard of ransomware 23% of consumers do not backup the files on their computer or mobile device 7% of non-impacted consumers say they would pay the ransom if they were hacked Source
  24. Lots of Android ransomware news this week even though Google feels they are pretty rare. Also some updates to tools created by Michael Gillespie (CryptoSearch & ID-Ransomware), a new RaaS, a new PyCL ransomware being distributed via RIG, and ransomware asking for 6 bitcoin ransoms while making fun of USA sanctions on Russia. Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @malwrhunterteam, @BleepinComputer, @struppigel, @demonslay335, @malwareforme, @jorntvdw, @FourOctets, @DanielGallagher, @campuscodi, @JAMESWT_MHT, @Seifreed, @JakubKroustek, @kafeine, @FreeBSDfan, @rommeljoven17, @BroadAnalysis, @nyxbone, @Malwarebytes, @Google, @zscaler, and @Lookout. If you are interested in ransomware or InfoSec, I suggest you follow them on Twitter. March 25th 2017 CryptoSearch Updated to Support Files Encrypted by Spora Michael Gillespie has updated CryptoSearch so that it now supports files encrypted by Spora Ransomware. New Ransomware called WannaCry GData security researcher Karsten Hahn found a new ransomware called WannaCry. Spanish Ransomware Pretends to be a Windows Update Karsten Hahn found a Spanish ransomware that uses Smart Install Maker and bunch of .vbs scripts to encrypt a computer. When run it pretends to be Windows Update. In-Dev MemeLocker Discovered Karsten Hahn keeps pumping out the new ransomware infections with MemeLocker. This ransomware is in development, but based on its name, I hope we wont see pictures of cats everywhere. March 28th 2017 Unskilled Group Behind Many Junk Ransomware Strains A person or group of malware authors calling themselves "Mafia Malware Indonesia" claimed responsibility for writing a collection of ransomware families that includes threats such as KimcilWare, MireWare, MafiaWare, CryPy, and the recent SADStory and the L0CK3R74H4T ransomware. Yesterday's iOS 10.3 Update Bring Safari Ransomware Campaign to an End According to Lookout, the iOS 10.3 update, released yesterday, has thwarted a screen-locking ransomware campaign that used a bug in mobile Safari to lock users' browsers and demand a ransom paid in iTunes pre-paid gift cards. PyCL Ransomware Delivered via RIG EK in Distribution Test This past Saturday security researchers Kafeine, MalwareHunterteam, BroadAnalysis, and David Martínez discovered a new ransomware being distributed through EITest into the RIG exploit kit. As this ransomware was only distributed for one day and does not securely encrypt files, it makes me believe that this may have been a test distribution run. R Ransomware Discovered R is for Ransomware according to the new ransomware discovered by MalwareHunterTeam. Not sure what the big S is for at the bottom of the ransom page. Skulls are Creepy According to the AnDROid Ransomware MalwareHunterTeam discovered another ransomware today called AnDROid. This ransomware appends the .android extension to encrypted files. Even cooler the skull is animated. Such skillz!! Ransom Hunt Underway for pr0tect Ransomware Michael Gillespie initiated a ransomware hunt for that uses the .pr0tect and drops a ransom note called READ ME ABOUT DECRYPTION.txt. March 29th 2017 Explained: Sage ransomware Malwarebytes explains how Sage is yet another ransomware that has become a common threat nowadays. Similarly to Spora, it has capabilities to encrypt files offline. The malware is actively developed and currently, we are facing an outbreak of version 2.2. of this product. HappyDayzz Sample Found MalwareHunterTeam found a sample of the HappyDayzz Ransomware. What is interesting about this ransomware is that it uses different encryption algorithms depending on the response from the C2 server. DoNotChange Ransomware Discovered MalwareHunterTeam found a sample of the DoNotChange Ransomware. New RaaS called File Frozr Discovered Rommel Joven discovered a new RaaS called File Frozr. March 30th 2017 Decryptor for the DoNotChange Ransomware Released Michael Gillespie released a decryptor for the DoNotChange Ransomware. Instructions can be found here. Google: Ransomware on Android Is Exceedingly Rare Android apps spreading ransomware aren't as common as most users and security experts think, says Jason Woloz, Sr. Program Manager for Android Security at @Google. CryptoSearch Updated to Support Files Encrypted by FadeSoft Michael Gillespie released an updated version of CryptoSearch that supports files encrypted by FadeSoft. ID-Ransomware can now Identify Files Encrypted by FadeSoft Michael Gillespie added support for FadeSoft identification to ID-Ransomware. March 31st 2017 New Android Ransomware Evades All Mobile Antivirus Solutions Zscaler has spotted a new strain of Android ransomware that could evade detection on all mobile antivirus engines at the time of its discovery. Currently targeting Russian-speaking users, this ransomware lacks basic decryption functionality. This means that users infected with this ransomware version cannot unlock their phones and regain access to their data, even if they pay the ransom. Introducing the Ugly LanRan Ransomware Don't ransomware developers have any pride anymore? This is obviously not apparent with the LanRan ransomware discovered by Karsten Hahn. This ransomware appears to be in-dev as it just sets the background and displays an ugly ransom lock screen. The contact email for this crapsomware is [email protected] New Variant of the Fantom Ransomware MalwareHunterTeam discovered a new variant of the Fantom Ransomware. When I took a look, its quite different then its predecessors. This variant will encrypt files and rename them to a base64 encoded filename with an extension that is based on the time the ransomware started. The extension format is .. An example is Ny5wbmc=.11232323. The ransom note is named in a similar manner with a name like RESTORE-FILES..11232323.hta. It logs the status of the infection process by retrieving one of these two images hxxp://iplogger.ru/1qzM6.gif or hxxp://iplogger.ru/1wzM6.gif. If its detects the user is from Russia, it terminates the process and deletes the infection from the computer. New version of CrypVault Found Karsten Hahn found a new version of CrypVault. This variant tells victims to contact [email protected] Ransom Hunt Underway for Cradle Ransomware Michael Gillespie initiated a ransomware hunt for that uses the extension .cradle and drops a ransom note called _HOW_TO_UNLOCK_FILES_.html. Sanctions Ransomware Makes Fun of USA Sanctions Against Russia If you want to know what some ransomware developers think about the USA, you can get a good idea from the ransom note of the Sanctions Ransomware that was released in March. Dubbed Sanctions Ransomware due to the image in the ransom note, the developer makes it fairly obvious how they feel about the USA and their attempts to sanction Russia. Source