Jump to content

Search the Community

Showing results for tags 'ransomware'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 256 results

  1. A malspam campaign is underway that pretends to be an invoice for an outstanding payment. When these invoices are opened they install the AZORult information stealing Trojan and the Hermes 2.1 Ransomware onto the recipient's computer. A recent sample of this campaign was shared with BleepingComputer by security researcher Yves Agostini, which was identified as installing AZORult and Hermes 2.1. These spam emails have a subject of "Invoice Due" and pretend to be about outstanding balances that contain a Word document attachment called Invoice.doc as shown below. Malspam with Fake Invoice Attachment These Word document attachments are password protected in order to make it more difficult for antivirus vendors to detect them as malicious. The password for these attachments are given in the malspam and in the case above, the password is 1234. Document asking for a password Once a recipient enters the password, they will be greeted with the Enable Content prompt. For those who are not familiar with this button, once you click on it, Word will enable Macros or other embedded scripts, which would then be executed. Enable content In this case, when you click on Enable Content, the AZORult Trojan (azo.exe) will be downloaded and executed, which will then download and execute the Hermes 2.1 Ransomware (hrms.exe). Fiddler showing download of malware The Hermes 2.1 Ransomware will be executed first and encrypts the files on a computer. This particular ransomware does not change the filenames, so the only way you would you know you are infected is by spotting the DECRYPT_INFORMATION.html ransom notes as shown below. Hermes 2.1 Ransom Note As always, beware of fake invoices or other unknown attachments. Furthermore, never open an attachment unless you are expecting it from the sender and have confirmed that they actually sent it to you. Otherwise, you never know what you will be opening and potentially infecting yourself with. IOCs Hashes: Hermes 2.1 Ransomware: 416235b085b6b86640cac3a78f0bd52583eed7154fc3666f5338bde96db10fab AZORult: 6ef12546c720ca40303dbf1ec391c967e5e0446c1e719d44001d3dcd2c2b8460 Malspam Message: Subject: Invoice Due This is to inform you that there is still an outstanding payment of $12,340 USD. We would appriciate it if this could be settled no later than the 20th. I have attached the current invoice and the password for the document is: 1234 Thank you. Federico Crowley Source
  2. When hackers took over two-thirds of D.C. police’s surveillance cameras days before the 2017 presidential inauguration, it appeared that the cyberattack was limited to elicit a single ransom payment. But court documents show that the alleged scheme that January was far more ambitious. Federal authorities say two Romanians accused in the hacking planned to use the police department computers to email ransomware to more than 179,000 accounts. That would have allowed them to extort those users as well — and use city government computers to hide their digital tracks. Prosecutors said the alleged hackers had also stolen banking credentials and account passwords, and, using the police computers, could have committed “fraud schemes with anonymity.” In addition, authorities said they uncovered a separate scheme run by the same people — an allegedly fraudulent business that tricked Amazon’s offices in Great Britain into sending money to the Romanians. (Amazon’s chief executive, Jeffrey P. Bezos, owns The Washington Post.) The intrusion in the District occurred Jan. 9-12, 2017, and caused 123 of the police department’s 187 surveillance cameras to go dark eight days before Donald Trump was sworn in as president, sparking national security concerns. It appears the timing was a coincidence; prosecutors said the hackers probably did not know that the computers were used by police. D.C. police say the incident did not affect safety or harm any investigations, but cybersecurity experts said it highlights the digital threat faced by governments and businesses and raises questions about the city’s ability to quickly identify hacking. “The question we should be asking of police is what controls were lacking and why were they unable to detect such an obvious intrusion,” said Alex Rice, the chief technology officer and co-founder of HackerOne, a California firm that works with companies and the Defense Department to test computer security. District officials said they are working hard to protect the city against a constant stream of cyberattacks. They did not answer questions specifically about the police cameras, citing the ongoing criminal investigation. Kevin Donahue, the deputy mayor for public safety, said in a statement that the District’s cybersecurity program “is critical to our public safety, health care, and public education agencies.” His statement added that “each year, we see more than one billion malicious intrusion attempts, including ransomware, denial of service, and phishing attacks. We are continuously working to improve our cybersecurity defenses to ensure they protect our IT systems from the constantly evolving methods of cyber attacks.” The U.S. attorney’s office for the District is seeking to extradite Mihai Alexandru Isvanca, 25, from Romania. His alleged accomplice, Eveline Cismaru, 28, has been extradited. She made her initial appearance on Friday in U.S. District Court in Washington. Prosecutors said Cismaru lacks ties to the United States and fled Romania while appealing a court order to extradite her from there to the United States. Authorities tracked her to London, where she was arrested, prosecutors said in court documents filed Friday. Isvanca and Cismaru have been charged with fraud and computer crimes and face 20 years in prison if convicted. An attorney for Isvanca did not return calls seeking comment. Cary Citronberg, who is representing Cismaru, said in a statement that his client has a 2-year-old son in Europe. “We believe Ms. Cismaru belongs back with her son and we are hopeful she will be able to put this ordeal behind her quickly so she can be reunited with her family,” he said. A hearing in federal court is scheduled for Aug. 16. Cismaru is being detained. Police say the alleged hackers were detected only when they shut the system down. D.C. police said the hack that locked up the system was noticed after a city employee tried to sign on to the computer system that runs the outdoor cameras and saw a “splashscreen.” A notice highlighted in red announced a “cerber ransomware” and warned that “your documents, photos, databases and other important files have been encrypted!” It said the system could be unlocked with a bitcoin payment of more than $60,000. Cerber, along with “dharma,” are two types of ransomware programs. Both had been downloaded onto the police system that runs the cameras. Authorities said the hackers routed emails through the police servers, including some sent to “vand.suflete” on Gmail. The term in Romanian means “selling souls.” D.C. officials quickly took the closed-circuit TV system offline, removed the software and restarted the cameras. They ignored the ransom demand. Authorities said they later learned that some of the emails routed through the police computers referenced IP addresses (a computer’s unique address) that did not include systems owned by D.C. police. Authorities said one was a health-care company in London. One browser downloaded onto the police computer had a user name listed as “David Andrew” with a Gmail account of “david.andrews2005.” In one affidavit filed in the case by the Secret Service, prosecutors say Isvanca and Cismaru also set up a fake company called Lake L. and linked it to Amazon.com.uk. Authorities said investigators found some of the same emails used by the fake company as used by the hackers on the police computers. When people placed orders with Amazon, the affidavit says, the suspects used stolen credit cards to buy the requested items at another website. Once those items were shipped from the other website, the affidavit says the suspects provided those postal tracking numbers to Amazon, which then released the money paid by the purchasers to the suspects. Police in Romania and in the United States were able to track various computer IP addresses and email accounts to the suspects, according to the affidavit. One tip came from an online takeout order from Andy’s Pizza, a restaurant in Bucharest. The person placed an order on Jan. 9, 2017 — the same day the D.C. computers were hacked — using the david.andrews2005 account and giving the clerk the name “Mihai Alexandru,” according to an invoice pulled by police and referenced in the affidavit filed in federal court. Later, during an interview with investigators, the affidavit says Isvanca told them that Cismaru lived in a fifth-floor apartment on Strada Bucur, near downtown and where the takeout order had originated. That, police said, helped them link the email address to the suspects. Rice said that police in cyber-investigations try to collect hard evidence such as a paper receipts to make it more difficult for a defendant to argue that someone else had used or hacked a computer. The receipt from Andy’s, Rice said, is probably that type of evidence. Rice said it appears that U.S. and foreign law enforcement agencies worked well together, but he warned “that we can’t rely on law enforcement as a deterrent” to cybercrimes. “We have got to hold companies and organizations responsible for implementing basic security practices that make it difficult for criminals. They are tempted by this low-level fruit.” Source
  3. COSCO Shipping Lines confirmed that it has been hit by a cyber attack impacting its internet connection within its offices in America. As such, local email and network telephone were not working properly and the company decided to shut down the connections with other regions for further investigation. Based on the information released so far, the incident that took place on Tuesday, July 24, was described as a ransomware attack. The Chinese shipping and logistics company said that its vessels were not impacted and that its main business operation systems were performing stably. However, COSCO’s terminal at the Port of Long Beach was affected. “We are glad to inform you that we have taken effective measures. Except for above regions affected by the network problem, the business operation within all other regions will be recovered very soon. The business operations in the affected regions are still being carried out, and we are trying best to make a full and quick recovery. We will keep you updated of the latest progress through various channels,” the company said. The latest attack is a stark reminder of the ever growing threat from cyber attacks in the maritime world which ic becoming increasingly dependent on digital technology. Even though the impact was not as severe as the one experienced by Maersk Group in June 2017, companies are encouraged to boost their cyber security if they want to avoid the scenario that cost Maersk around USD 300 million. Source
  4. Bitdefender 2019 - Stable - Final - Online/Offline Standalone Installers For Windows[x86 & x64] More Info/Official News: https://www.bitdefender.com/news/bitdefender-new-security-line-will-stop-most-sophisticated-attacks-3533.html BD 2019 Home/Home Office Forum: https://forum.bitdefender.com/index.php?/forum/536-bitdefender-2019-products/ BD TS 2019 Support: https://www.bitdefender.com/consumer/support/product/26925/ Improvements in BD 2019: https://www.bitdefender.com/consumer/support/answer/13353/ Changelog - gathered by Wortex/bitdefender forum: https://www.bitdefender.com/media/html/consumer/new/launch2019-opt/ Online Installers: Bitdefender Antivirus Plus 2019 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2019 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2019 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2019 Offline Installation Guide: Bitdefender 2019 AV Plus / Internet Security / Total Security - Standalone Installers [Windows]: 32bit [x86] - [Size: 428 MB]: https://download.bitdefender.com/windows/desktop/connect/cl/2019/all/bitdefender_ts_23_32b.exe 64bit [x64] - [Size: 456 MB]: https://download.bitdefender.com/windows/desktop/connect/cl/2019/all/bitdefender_ts_23_64b.exe Bitdefender Agent - 2019 - Universal [Same Agent for AV Plus / IS / TS]: Screenshots: Install Notes: Precaution Note: If you've already installed older version of Bitdefender[incl. 2016 version], we are sure that you'll lose your settings. Please take note of configuration, settings. whitelisted files and links. Also read the support page link above for upgrade/install Bitdefender 2019. Download and Install Bitdefender Agent. When it starts downloading the install files, Stop/Close it immediately. Note: Check whether there the Agent is installed only once in "Add/Remove Programs" or "Programs & Features". Note: Check in "Program Files" for folder named "Bitdefender Agent". Now, start installing offline installer and proceed with installation. Note: Please choose respective download link based on architecture x86/x64 for smooth installation. Note: Don't worry about AV Plus/IS/TS. The installer automatically modifies the installation depending on the license you entered. Once installation is done, configure accordingly for best protection and to avoid files from getting deleted. Configure Whitelist files and links if you have any. It is better to keep note of the configured settings for future use. User Guide: Bitdefender Antivirus Plus 2019: https://download.bitdefender.com/resources/media/materials/2019/userguides/en_EN/bitdefender_av_2019_userguide_en.pdf Bitdefender Internet Security 2019: https://download.bitdefender.com/resources/media/materials/2019/userguides/en_EN/bitdefender_is_2019_userguide_en.pdf Bitdefender Total Security 2019: https://download.bitdefender.com/resources/media/materials/2019/userguides/en_EN/bitdefender_ts_2019_userguide_en.pdf Uninstall Tool: Uninstall Tools Home: https://www.bitdefender.com/site/view/uninstall_consumer_paid.html Uninstall Tool For Bitdefender 2018 Products: https://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2018_UninstallTool.exe NOTE: Bitdefender 2018 Uninstall Tool require KB2999226. If you didn't install, you'll get error "api-ms-win-crt-runtime-l1-1-0.dll" missing. You can download it here - KB2999226 Uninstall Tool For Bitdefender 2017 Products: http://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2017_UninstallTool.exe NOTE: Bitdefender 2017 Uninstall Tool require KB2999226. If you didn't install, you'll get error "api-ms-win-crt-runtime-l1-1-0.dll" missing. You can download it here - KB2999226 Uninstall Tool For Bitdefender 2016 Products: http://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2016_UninstallTool.exe Uninstall Tool For Bitdefender 2015 / 2014 / 2013 Products: http://www.bitdefender.com/files/KnowledgeBase/file/The_New_Bitdefender_UninstallTool.exe Uninstall Tool For Bitdefender 2012 Products and Earlier: http://www.bitdefender.com/files/KnowledgeBase/file/BitDefender_Uninstall_Tool.exe @[email protected] my revealed new ac extn method - modified as Jedi II 2018 TR tool by Jedi/Polylak work with 2019? If not, check TR release 2019. Thanks.
  5. Security researchers have discovered an interesting piece of malware that infects systems with either a cryptocurrency miner or ransomware, depending upon their configurations to decide which of the two schemes could be more profitable. While ransomware is a type of malware that locks your computer and prevents you from accessing the encrypted data until you pay a ransom to get the decryption key required to decrypt your files, cryptocurrency miners utilize infected system's CPU power to mine digital currencies. Both ransomware and cryptocurrency mining-based attacks have been the top threats so far this year and share many similarities such as both are non-sophisticated attacks, carried out for money against non-targeted users, and involve digital currency. However, since locking a computer for ransom doesn't always guarantee a payback in case victims have nothing essential to losing, in past months cybercriminals have shifted more towards fraudulent cryptocurrency mining as a method of extracting money using victims' computers. Researchers at Russian security firm Kaspersky Labs have discovered a new variant of Rakhni ransomware family, which has now been upgraded to include cryptocurrency mining capability as well. Written in Delphi programming language, the Rakhni malware is being spread using spear-phishing emails with an MS word file in the attachment, which if opened, prompts the victim to save the document and enable editing. The document includes a PDF icon, which if clicked, launches a malicious executable on the victim's computer and immediately displays a fake error message box upon execution, tricking victims into thinking that a system file required to open the document is missing. How Malware Decides What To Do However, in the background, the malware then performs many anti-VM and anti-sandbox checks to decide if it could infect the system without being caught. If all conditions are met, the malware then performs more checks to decide the final infection payload, i.e., ransomware or miner. 1.) Installs Ransomware—if the target system has a 'Bitcoin' folder in the AppData section. Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file. 2.) Installs cryptocurrency miner—if 'Bitcoin' folder doesn't exist and the machine has more than two logical processors. If the system gets infected with a cryptocurrency miner, it uses MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background. Besides this, the malware uses CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process. 3.) Activates worm component—if there's no 'Bitcoin' folder and just one logical processor. This component helps the malware to copy itself to all the computers located in the local network using shared resources. Regardless of which infection is chosen, the malware performs a check if one of the listed antivirus processes is launched. If no AV process is found in the system, the malware will run several cmd commands in an attempt to disable Windows Defender. What's more? There's A Spyware Feature As Well This malware variant is targeting users primarily in Russia (95.5%), while a small number of infection has been noticed in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well. The best way to prevent yourself from being a victim of such attacks in the first place is never to open suspicious files and links provided in an email. Also, always keep a good backup routine and updated anti-virus software in place. Source
  6. Monitoring cyberthreats over time reveals interesting insights into the strategies used by cybercriminals and the evolution of the attack vectors they target. While the threat landscape continues to be quite diversified, trends do seem to run in predictable cycles. For example, over the last year or so ransomware has risen to become one of the most dominant threats plaguing organizations, especially in the market sectors of healthcare, finance, and education. As more and more cybercriminals have jumped on the bandwagon, ransomware as a service and dozens of variations targeting organizations across the globe have practically turned it into a commodity. As it has evolved it has leveraged new delivery channels such as social engineering, new techniques such as multi-stage attacks to evade detection and infect systems, and new methods of payment often involving fledgling cryptocurrencies. For example, GandCrab ransomware emerged in January with the distinction of being the first ransomware to require Dash cryptocurrency as a payment. According to Europol, it claimed 50,000 victims in less than a month. BlackRuby and SamSam were two other ransomware variants that emerged during the first quarter of 2018, with SamSam achieving special notoriety for taking down the administrative infrastructure of a major US city in March. And a separate ransomware attack, known as Olympic Destroyer, targeted the Winter Olympics just before the opening ceremonies. The U.S. government also announced the discovery of malware variants, known as HARDRAIN and BADCALL, which have been attributed to the North Korean threat team known as HIDDEN COBRA. Ransomware volume dropped in Q1 of 2018 But in spite of these continued developments threat researchers have begun to notice some recent shifts in the ransomware trend. One measure of the success of malware is the number of organizations it is able to impact. In Q4 of 2017, for example, nine different malware varieties, including ransomware variants, had each managed to infect more than 10% of all organizations. This had been a trend for several quarters. Then suddenly, in Q1 of 2018 the number of threats that managed to crack the ‘1 in 10 organizations infected’ threshold dropped to three, and none of them were ransomware. This sudden change prompted the obvious question of “what happened?” The short answer is, “cryptojacking happened” as two of the three malware varieties that made the 10% list were cryptojacking malware, an emerging attack vector that has seen truly remarkable growth during the first few months of 2018. Cryptojacking affects more than 1 in 4 organizations Cryptojacking malware grew from impacting 13% of all organizations in Q4 of 2017 to 28% of companies in Q1 of 2018, more than doubling its footprint. And the growth of this malware variety has been detected across every region of the globe. It’s rare that a threat bursts onto the scene and moves so quickly to the forefront, but that’s exactly what we’ve witnessed with cryptojacking over the last two quarters. It is also showing incredible diversity for such a relatively new threat. Cryptominers have been documented targeting multiple operating systems, and that mine for a variety of cryptocurrencies. There also seem to be technical links between the ransomware and cryptojacking criminal communities. For example, ETERNAL BLUE was originally used in the WannaCry ransomware exploit. It has been now repurposed for a cryptojacking campaign called WannaMine. In addition, NotPetya’s use of Mimikatz (a hugely popular credential-stealing tool used for lateral movement) has also been mimicked by recent cryptojacking campaigns. And remember that Apache Struts vulnerability that compromised Equifax last fall? Cryptominers are targeting that as well. Even the recent Drupal vulnerability already been weaponized for cryptojacking. Of course, ransomware and cryptojacking are fairly similar in terms of how they need to penetrate and spread between systems. But this may be more than just a case of one threat copycatting another. Ransomware has some inherent limitations, such as a poor long-term strategy for leveraging existing victims for additional revenue. Once ransomware hits an organization, criminals usually move on to the next victim. Another of the challenges ransomware faces is that its high profile. Corporations have seen the economic and reputational impact of such a compromise, and do not want to get caught in a ransomware snare. So IT teams are on high alert to protect their networks, and are adopting a combination of advanced malware detection, network segmentation, patching, and offsite backups to fight back. As a result, more and more organizations are now able to simply refuse to pay a ransom because they can limit the impact of a ransomware attack and quickly restore whichever segment of the network was impacted. All of which complicates the criminal’s job of maintaining and updating ransomware to stay ahead of existing countermeasures. Like any successful enterprise, many cybercrime organizations understand the maxim, “worker smarter, not harder.” Cryptojacking is a very different model Cryptojackers have clearly discovered that, if done properly, leveraging the processing power of a hijacked system to mine for cryptocurrencies can be a potentially long-term profitable venture. Cryptojacking uses malware (typically via a script loaded into a web browser) to steal unused CPU cycles and use them to perform cryptomining calculations. This can be done either by directly infecting a device with malware, or by indirectly stealing processing cycles when a user visits a compromised website. New cryptojacking variations inject malicious JavaScript into a vulnerable website. Victims who simply browse such an infected site will have their CPU cycles hijacked to perform cryptomining. Unlike ransomware, the success of this attack vector depends on not being detected. New rate-limiting variations, for example, restrict their cryptojacking malware from ever consuming more than a certain percentage of available CPU, and can even back off when legitimate usage hits a certain threshold. This allows the malware to fly under the radar of users, as it never interrupts normal device operations. Cryptojackers who manage to develop and maintain a network of hijacked machines and aggregate the results through a central command and control center are able to generate revenue with only a fraction of the attention caused by ransomware. Which is why we expect continued investment and innovation in this criminal business model. What your organization can do If you are worried that your systems might be mining for, and lining the pockets of cybercriminals, start by checking the Task Manager (Windows), Activity Monitor (Mac), or “top” on the Linux command line on your connected devices. Collecting and listing the processes running across your network and then cross-referencing them against lists of legitimate software or known cryptojacking malware is one way to identify and address any application that’s surreptitiously consuming resources. The challenge is that many organizations don’t even maintain a current inventory of connected devices, let alone have some way to see what applications are running or how much resources they are consuming. Which is why a centralized management, orchestration, and IoC interface is essential for any security management system or SOC. This is part of the larger challenge that IT teams face, which is simply finding the time or tools necessary to perform these sorts of basic security hygiene activities. Far too many IT teams today are simply stretched too thin implementing digital transformation projects to focus on new threat vectors. Complicating things further, encrypted data is now nearly 60% of all network traffic, rising another 6% in Q1 of 2018 alone. As cybercriminals increasingly use SSL and TLP encryption to hide malicious code or to exfiltrate data, inspecting encrypted traffic in increasingly crucial. Unfortunately, many legacy threat detection devices and signature-based antivirus tools currently in place don’t have the horsepower necessary to adequately inspect encrypted traffic at this volume without crippling network throughput. Cybercriminals understand this. Which is part of the reason why they constantly shift tactics, tools, and technologies. Since organizations are unlikely to get a huge increase in budget and resources, they, like their cybercriminal enemies, also need to work smarter rather than harder. What’s needed is an and integrated automated security system that spans the distributed network to see threats and detect malware, including inspecting encrypted traffic at wire speeds, and then make autonomous decisions that can marshal all available resources to respond to those threats in real time. Until that happens, cybercriminals are likely to remain one step ahead in the security arms race. Source
  7. GandCrab v4 ransomware – the dangerous file locking virus that came back with its 4th version GandCrab v4 ransomware is the newest variant of the GandCrab family and was first noticed by security experts[1] at the start of July 2018. This crypto-virus uses AES-256 (CBC mode) and RSA-2048 encryption algorithm to encrypt data and then ads .KRAB appendix to each of the affected files. Soon after that, the malware drops a ransom note CRAB-DECRYPT.txt or KRAB-DECRYPT.txt, which explains to users that the only way to recover data is to pay cybercriminals in Bitcoin cryptocurrency. Security experts found evidence that Romanian-born hackers created the newest variant of the virus. Although crooks behind previous versions of malware were stopped and file-decrypting tool was created, it is still not the case with GandCrab v4 virus. As the cyber threat is still brand new, security researchers might develop the decryptor in the future. Unfortunately, as of now, recovering your files without the key is almost impossible. Nevertheless, the first step to normal computer operation is GandCrab v4 ransomware removal. The crypto-malware usually infiltrates machines via contaminated file attachments in spam e-mails, breaks in through a poorly protected RDP,[2] using software vulnerabilities or via executables found on malicious websites (such as file-sharing or torrent sites). As soon as GandCrab v4 virus enters, it performs a full system scans, looking for files to encrypt. After that, it appends the .KRAB extension to all video, audio, photo, database, image files. Therefore, a picture.jpg is modified to picture.jpg.KRAB and becomes inaccessible. The key that could unlock files is located on a server which is only reachable to GandCrab v4 cybercrooks. The worst part is that each of the keys is generated separately for each of the infected computers, making it impossible to re-use it. Nevertheless, security researchers[3] do not recommend paying ransom under any circumstances. Hackers are known to ignore victims and never send the promised key. Additionally, the bad actors could instead send more malware which could inflict further damage to your machine. Therefore, do not panic if KRAB extension locks your files. Simply download and install Reimage, Plumbytes Anti-Malware, Malwarebytes Anti Malware or any other reputable security software and run a full system scan. This will help you to remove GandCrab v4 ransomware effectively. Only after elimination procedure, you can attempt file recovery. Unfortunately, the only safe way to get your files back is by using backups (either by using cloud services or a physical external storage device, such as USB stick or an external HDD). Thus, even if you do not think that you could get infected, still back-up your data regularly, as it can save your precious files from destruction. GandCrab v4 is a non-decryptable crypto-virus that locks up all personal files on the computer and demands ransom in Bitcoins for its release Avoid opening emails that look or feel suspicious Contaminated attachments in phishing emails are usually the main culprit of the ransomware infection. Hackers often abuse the fact that users are careless when it comes to computer safety and employ bots to send out thousands of spam emails that may look very believable. As soon as the victim clicks on the malicious attachment, the payload of the virus is executed, and all files are locked. To avoid that, carefully examine emails and do not click any links or on the attachments if you are not 100% sure that they are legitimate. Other ways dangerous malware can be injected into the machine include: Exploit kits; Unprotected RDP; Using botnets; Infected executable files on file-sharing sites and P2P networks; Cracked or re-packed software; Fake updates, etc. Remove GandCrab v4 using reputable security software To remove GandCrab V4 virus safely, you need to employ anti-malware software. Having a reputable security tool installed is mandatory if you want to protect yourself from dangers online. However, if you are still not using any protection, your computer is in imminent danger. Thus, download Reimage, Plumbytes Anti-Malware or Malwarebytes Anti Malware and bring it up to date. If malware is preventing from proper anti-virus program operation, enter Safe Mode with Networking, as explained below. Only after full GandCrab v4 removal, you can attempt to recover your files. Otherwise, they will get encrypted again. Therefore, if you own a back up of your data, DO NOT CONNECT it before the virus is eliminated. If you do not have a back-up, you can attempt file recovery by using third-party software, which we explain how to apply below. To remove GandCrab v4 virus, follow these steps: Method 1. Remove GandCrab v4 using Safe Mode with Networking Method 2. Remove GandCrab v4 using System Restore Bonus: Recover your data Remove GandCrab v4 using Safe Mode with Networking To get rid of GandCrab V4 virus safely, enter Safe Mode with Networking the following way: Step 1: Reboot your computer to Safe Mode with Networking Windows 7 / Vista / XP Click Start → Shutdown → Restart → OK. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window. Select Safe Mode with Networking from the list Windows 10 / Windows 8 Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart.. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Step 2: Remove GandCrab v4 Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete GandCrab v4 removal. If your ransomware is blocking Safe Mode with Networking, try further method. Remove GandCrab v4 using System Restore You can try to eliminate the malware using System Restore: Step 1: Reboot your computer to Safe Mode with Command Prompt Windows 7 / Vista / XP Click Start → Shutdown → Restart → OK. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window. Select Command Prompt from the list Windows 10 / Windows 8 Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart.. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Step 2: Restore your system files and settings Once the Command Prompt window shows up, enter cd restore and click Enter. Now type rstrui.exe and press Enter again.. When a new window shows up, click Next and select your restore point that is prior the infiltration of GandCrab v4. After doing that, click Next. Now click Yes to start system restore. Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that GandCrab v4 removal is performed successfully. Bonus: Recover your data Guide which is presented above is supposed to help you remove GandCrab v4 from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts. Although for some paying the ransom seems like a good idea, we do not recommend doing that. Not only can you lose your money but also damage your PC even further. Besides, you will be funding cybercriminals and their malicious acts. Instead, try some alternative solutions be present below. Use Data Recovery Pro Data Recovery Pro can be a useful tool when it comes to ransomware-infected files. Although there is a change it won't work, you should try using it. Download Data Recovery Pro (https://www.2-spyware.com/download/data-recovery-pro-setup.exe); Follow the steps of Data Recovery Setup and install the program on your computer; Launch it and scan your computer for files encrypted by GandCrab v4 ransomware; Restore them. Recover your files using Windows Previous Versions Feature This method can only function if you had System Restore feature enabled before the ransomware locked up your files. Besides, only one file at the time can be recovered. Thus, getting back a large amount of data might be impossible. Find an encrypted file you need to restore and right-click on it; Select “Properties” and go to “Previous versions” tab; Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”. You can try ShadowExplorer ShadowExplorer can only be useful if the virus left Shadow Volume Copies intact. Download Shadow Explorer (http://shadowexplorer.com/); Follow a Shadow Explorer Setup Wizard and install this application on your computer; Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there; Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored. Try using GandCrab decryptor Although there is a low chance that the original decryptor will work, you can still download it and try using it. Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GandCrab v4 and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-Malware or Malwarebytes Anti Malware source
  8. On Monday, Michigan Governor Rick Snyder signed two bills into law that criminalize the possession of ransomware “with the intent to introduce it into a computer or computer network without authorization” and punish offenders with a three-year prison sentence, respectively. On Monday, Michigan Governor Rick Snyder signed two bills into law that criminalize the possession of ransomware "with the intent to introduce it into a computer or computer network without authorization" and punish offenders with a three-year prison sentence, respectively. Legislators initially sought a ten years prison sentence, but this was knocked down to three years in subsequent deliberations. Two new laws correct a legislative loophole The two new laws —PAs 95 and 96 of 2018— are based on two bills —HB-5257 and HB-5258— introduced last year by Michigan House Representative Brandt Iden, of Oshtemo, and Representative James Lower, of Cedar Lake, respectively. Rep. Iden said he wanted to correct a legislative loophole that only punished cybercriminals for using the ransomware, but not possessing it. According to the new bill, if a suspected cybercriminal is arrested and ransomware is found on his computer, the suspect would end up in prison, even if he didn't get to infect any victims. This, in theory, should make it easier for state authorities to go after suspected ransomware developers, affiliates, and others involved in Ransomware-as-a-Service operations. Just like most crimes, investigators must prove "intent to use" before charging someone with ransomware possession, which is now a felony. Michigan legislators weren't absurd —unlike their Georgia fellows— and left room for security experts to possess ransomware for research purposes. 1,300+ ransomware incidents reported in Michigan last year According to FBI statistics, there were over 1,300 ransomware incidents reported in the state of Michigan last year, with damages estimated at around $2.6 million. "Cybercrime and tough measures to combat it is a rapidly evolving effort, and it’s integral our law enforcement agencies have the tools to identify, prevent and penalize it," Gov. Snyder said on Monday. Both bills passed with the same vote tallies, 103 to 3 in the House, and 34 to 0 in the Michigan Senate. Source
  9. In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago. It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry. Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit). Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour. However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely. We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop. Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading. Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will continue to run, attacking more systems instead of immediately killing itself. One solution to this would be to setup sinkhole DNS servers on the network that resolve all unknown DNS queries to a single server that logs all requests. This is trivially setup with most DNS servers. The logs will quickly identify problems on the network, as well as any hacker or virus activity. The side effect is that it would make this killswitch kill WannaCry. WannaCry isn't sufficient reason to setup sinkhole servers, of course, but it's something I've found generally useful in the past. Conclusion Something obviously happened to the Boeing plant, but the narrative is all wrong. Words like "targeted attack" imply things that likely didn't happen. Facts are so loose in cybersecurity that it may not have even been WannaCry. The real story is that the original WannaCry is still out there, still trying to spread. Simply put a computer on the raw Internet (without a firewall) and you'll get attacked. That, somehow, isn't news. Instead, what's news is whenever that continued infection hits somewhere famous, like Boeing, even though (as Boeing claims) it had no important effect. Source
  10. Qwerty Ransomware Utilizes GnuPG to Encrypt a Victims Files A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim's files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file's name. It goes without saying, that GnuPG is a legitimate programs being illegally used by the Qwerty Ransomware developers. While a ransomware using GnuPG to encrypt files is not unique as it has been done in the past with VaultCrypt and KeyBTC, it is not something that is commonly seen. While it is not known for sure how this ransomware is being distributed, it appears likely that it is manually installed by the attacker when they hack into computer running Remote Desktop Services. First discovered by MalwareHunterTeam, we did not have the full package in order to fully analyze it. This week MalwareHunterTeam was able to find the complete package hosted on a site so that we could analyze it further. How the Qwerty Ransomware encrypts a computer The Qwerty Ransomware consists of a package of individual files that are run together to encrypt a computer. This package consists of the GnuPG gpg.exe executable, the gnuwin32 shred.exe file, a batch file that loads the keys and launches a JS file, and a JS file that is used to launch the find.exe program. Qwerty Ransomware Package The first file to be launched is the key.bat file. This file acts as the main launcher for the ransomware by executing various commands sequentially. Batch File When the batch file is executed, the keys will be imported as shown below. Importing Keys After the keys are imported, the batch file will launch run.js. This file will execute the find.exe program, which is the main ransomware component. When executing find.exe, it will specify a particular drive letter that it tries to encrypt. JavaScript File When find.exe is executed it will launch the following commands on the victim's computer. taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin Source It will then begin to encrypt each drive on the computer by executing the following command when it encrypts a file: gpg.exe --recipient qwerty -o "%s%s.%d.qwerty" --encrypt "%s%s" This command will encrypt the file using the imported public key and then save it as a new file under the same name, but now with the .qwerty extension appended to it. For example, test.jpg would be encrypted and saved as test.jpg.qwerty. Encrypted Qwerty Files When encrypting files, it will encrypt any file that does not contain the following strings: Recycle temp Temp TEMP windows Windows WINDOWS Program Files PROGRAM FILES ProgramData gnupg .qwerty README_DECRYPT.txt .exe .dll After it encrypts a file it will run the shred.exe file on the original file in order to overwrite it. shred -f -u -n 1 "%s%s" It should be noted that it only overwrites files once, so they may be recoverable with file recovery software. The use of only one wipe is a tradeoff between speed and securely deleting the file. In each folder that a file is encrypted, it will create a ransom note named README_DECRYPT.txt which contains instructions to contact [email protected] to receive payment instructions. Qwerty Ransom Note Unfortunately, this ransomware is secure and there is no way to decrypt files for free as only the attacker has possession of the private decryption key. Due to the components used to encrypt the computer, the process is very slow, so it may be possible to spot the ransomware in action and shutdown the computer before it encrypts too many files. How to protect yourself from the Qwerty Ransomware In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. As Qwerty appears to be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network. It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer. Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all: Backup, Backup, Backup! Do not open attachments if you do not know who sent them. Do not open attachments until you confirm that the person actually sent you them, Scan attachments with tools like VirusTotal. Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated. Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs. Use hard passwords and never reuse the same password at multiple sites. For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article. IOCs Hashes: find.exe: 39c510bc504a647ef8fa1da8ad3a34755a762f1be48e200b9ae558a41841e502 gpg.exe:2b605abf796481bed850f35d007dad24 iconv.dll: aa9ec502e20b927d236e19036b40a5da5ddd4ae030553a6608f821becd646efb key.bat: 554c6198a015dc87e394c4fc74bf5040c48829d793e302632f9eec663733a09e libiconv2.dll: 3ec2d1a924ef6f19f2db45e48b9cf4b74a904af5720100e3da02182eee3bcf02 libintl3.dll: b92377f1ecb1288467e81abe286d1fd12946d017e74bd1ab5fb2f11e46955154 ownertrust.txt: d06ffa2b486cd0601409db821d38334d0958bf8978f677330908a4c3c87a2b48 qwerty-pub.key: dc1f6d197904a59894a9b9e66f0f6674766c49151a8ced2344dfaadaf54330b8 run.js: 6a6722b3b177426ec9ebb27898ef2340208c5644eb56eb5b064f2b2e34bf20bf shred.exe: 7eae0a885c7ef8a019b80d55a00e82af2e9a9465b052156490ff822ac68bc23a Associated Files: README_DECRYPT.txt Ransom Note Text: Your computer is encrypted . Mail [email protected] . Send your ID 5612. Note! You have only 72 hours for write on e-mail (see below) or all your files will be lost! Associated Emails: [email protected] Executed Commands: taskkill /F /IM sql /T taskkill /F /IM chrome.exe /T taskkill /F /IM ie.exe /T taskkill /F /IM firefox.exe /T taskkill /F /IM opera.exe /T taskkill /F /IM safari.exe /T taskkill /F /IM taskmgr.exe /T taskkill /F /IM 1c /T vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe bcdedit /set {default} recoveryenabled no wbadmin.exe wbadmin delete catalog -quiet del /Q /F /S %s$recycle.bin
  11. 2016 was the year of ransomware – 146 new strains of this destructive malware were discovered, which earned cybercriminals an estimated worldwide profit of around one billion dollars in 2016. By contrast, in 2015 only 29 strains of ransomware were discovered. Until recently, Windows users were the primary target for ransomware attacks, but now hackers are also targeting Mac and Linux users too. More recently, smartphones or tablets with an Android or iOS operating system are also becoming targets. The reason for this is simple: the proportion of Apple and Linux-based computers is increasing, and who doesn’t have a smartphone these days?! Traditionally, you would have felt quite safe as a Mac or Linux user; Windows users have always been plagued with a high risk of catching viruses, worms or Trojans, whereas Apple or UNIX systems (including smartphones) have enjoyed a low threat level when it comes to malware. But has that now all changed? Mac is still more secure than Windows Mac users are currently still far less vulnerable than Windows users, as the spread of ransomware on the Mac so far requires a manual involvement of the user. However, it will certainly come to a point where attackers find a more efficient way of disseminating their malware, by which time macOS could be just as vulnerable as Windows. Although the malware ‘Patcher’ was recently discovered as an application for cracking popular software, the program is quite bumpy. In fact, the code for communicating with the host server to pay the ransom is often missed out, which means you are left high and dry with all your data encrypted and no hope of getting it back by paying the ransom (although in every case it is advisable not to pay the ransom anyway). A more dangerous strain is ‘KeRanger’, which attacked about 7,000 Macs in 2016, even hitting time-machine backups. A quick intervention by Apple prevented the spread from getting any worse, but when one malware program is successful you can bet that there will be more right behind it. It is therefore important that your backups should be stored on a storage medium that is not connected to the internet or the network. That way you can still access your data if something goes wrong with your main computer (this is good practice anyway, but it especially true when it comes to overcoming ransomware attacks). Cybercriminals are also interested in Linux machines Ransomware is currently not much of a problem for Linux systems. A pest discovered by security researchers is a Linux variant of the Windows malware ‘KillDisk’. However, this malware has been noted as being very specific; attacking high profile financial institutions and also critical infrastructure in Ukraine. Another problem here is that the decryption key that is generated by the program to unlock the data is not stored anywhere, which means that any encrypted data cannot be unlocked, whether the ransom is paid or not. Data can still sometimes be recovered by experts like Ontrack, however timescales, difficulty and success rates depend on the exact situation and strain of ransomware. The Linux pedant to KeRanger is called ‘Linux.Encoder’. This malicious program originally came from an open source ransomware project and is relatively easy to comprehend because of its half-baked programming. As a result, the chance of getting lost data back is high, for now. Again, the industry will need to deal with improved versions in the future, but at least for now the situation is still pretty relaxed. Smartphones are the top target Almost everyone today has a smartphone, and on it often resides a variety of private and business data, which is a prime target for hackers to hold hostage. However, the infection with the malware does not happen automatically; the user of the phone must actively participate and independently, for example, by installing a contaminated app on a device. However, in these cases not everything is still not lost – putting a smartphone into ‘safe mode’ can help to uninstall rogue apps, or some specialist software tools can remove it for you. As a last resort you can even reset the phone to factory settings, which will ‘delete’ all data stored on the device. Although the manufacturer of the smartphone operating system Android (Google) reacts quite well to known malware problems, it still may take some time for the device manufacturers to incorporate the updates into their own brand-specific operating systems and then deliver them to their customers. Apple vs. Android Apple users rejoice – iPhones are better off. Previous reports about surfaced ransomware were not completely correct, and in most cases they were just pseudo-ransomware attacks or simple error message spam. The reason for the much better performance compared to Android phones is on the one hand that Apple does not work with open source software and on the other hand that Apple reacts very quickly to possible problem areas and provides its customers with updates – without having to take the long route via external companies. However, even with Apple smartphones it is always possible that this could change in the future, leaving data at risk. Therefore, it is recommended (as with all computers and devices that stored data) to create frequent backups. If you’re lucky and have backed up properly then getting your data back might be as simple as wiping your device completely, initiating a fresh install and then restoring your data from the backups. If your backups did not work and your find your data being attacked and encrypted by ransomware, you should contact a data recovery service provider like Ontrack immediately. Remember not try out any DIY data recovery methods you might find on the Internet, as it can often make the situation worse. It’s much safer to shut down your affected device and contact a professional to understand exactly what your options are and the likely chances of a successful recovery being possible. Have you ever been hit by ransomware? What happened and were you able to get your data back? Source
  12. Data Keeper Ransomware Makes First Victims Two Days After Release on Dark Web RaaS Two days after crooks started advertising the Data Keeper Ransomware-as-a-Service (RaaS) on the Dark Web, ransomware strains generated on this portal have already been spotted in the wild, infecting the computers of real-world users. Spotted earlier this week by Bleeping Computer, Data Keeper is the third ransomware strain offered as a RaaS offering this year, after Saturn and GandCrab. Another RaaS opens its gates for everybody The service launched on February 12 but didn't actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected. Just like the Saturn RaaS, Data Keeper lets anyone sign up for the service and lets them generate weaponized binaries right away, without having to pay a fee to activate an account. Data Keeper maintainers are encouraging users to generate ransomware samples and distribute them to victims, with the promise of receiving a share of the ransom fee in case victims pay to decrypt their files. But while the Saturn crew made their commission known upfront (30% of the total ransom fee), the Data Keeper crew doesn't disclose the amount of Bitcoin they keep from affiliates. Sections are available in the Data Keeper RaaS backend that allow users to enter their Bitcoin wallet where to receive their "earnings," sections where they can generate the ransomware's encryptor binary, and a section from where they can download various files, including a sample decrypter. Data Keeper ransomware looks well-coded The ransomware generated via the Data Keeper RaaS is coded in .NET, and while .NET ransomware is usually considered the bottom of the barrel regarding ransomware quality, this one appears to be written by someone more adept than the usual mob of .NET malware noobs. "The in the wild [Data Keeper ransomware] sample we saw on Thursday consists of 4 layers," said MalwareHunter, a security researcher who helped Bleeping Computer analyze the ransomware for this article. "The first layer is an EXE that will drop another EXE to %LocalAppData% with a random name and a .bin extension. It then executes it with ProcessPriorityClass.BelowNormal and ProcessWindowStyle.Hidden parameters," MalwareHunter says. "That second EXE will load a DLL, which will load another DLL containing the actual ransomware that encrypts all the files. All layers have custom strings and resources protection," he says. "And then each layer is protected with ConfuserEx." This is an unusual complex level of protection when compared to the troves of .NET ransomware that's floated online in the past year. Furthermore, this is also one of the few ransomware strains that uses PsExec, a command-line-based remote administration tool. DataKeeper uses PsExec to execute the ransomware on other machines on victims' networks. Data Keeper ransomware doesn't use a special file extension Victims infected with versions of this ransomware will have their files encrypted with a dual AES and RSA-4096 algorithm. Data Keeper also enumerates and tries to encrypt all networks shares it can get access to. Data Keeper doesn't add a special extension at the end of encrypted files, meaning victims won't be able to tell what files are encrypted unless they try to open one. This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs. Further, the RaaS lets each affiliate select what file types to target, meaning different versions of Data Keeper will encrypt different files for each victim. The only visible sign that victims have been infected is the "!!! ##### === ReadMe === ##### !!!.htm" file that Data Keeper places in each folder it encrypts files. The ransom fee is also configurable in the RaaS, so this value also varies from victim to victim. Infected users are told to access a Dark Web URL for more information on the steps necessary to pay the ransom fee and receive a decrypter that will unlock their files. Based on the wording of the ransom note above, if Data Keeper infects a company's computers, the victim will have to pay to unlock each computer at a time. This means a simple infection can reach staggering costs for some companies that did not have backups but want to recover their files. Data Keeper ransomware versions spotted in the wild At the time of writing, there appear to be multiple threat actors that have signed up for the RaaS, obtained weaponized binaries, and are now distributing Data Keeper to users. MalwareHunter has told Bleeping Computer that one of the threat actors currently distributing a variant of the Data Keeper ransomware is hosting the malicious binaries on the server of a home automation system. Crooks have also updated this particular ransomware binary from day to day, meaning they are fine-tuning their attacks, and are serious about their intentions and not carrying out just a simple test run. Researchers who looked into Data Keeper's encryption scheme for weaknesses were not able to find any bugs or mistakes they could exploit to recover victims' files. If they find anything and create a free decrypter, we'll update this article with a link to its download location. IOCs: Encrypter: 912bfac6b434d0fff6cfe691cd8145aec0471aa73beaa957898cfabd06067567 Decrypter: 8616263bdbbfe7cd1d702f3179041eb75721b0d950c19c2e50e823845955910d Ransom note text: Source
  13. ShieldApps’ Ransomware Defender deals with known ransomware in a way no other solution can. Specially designed for detecting and blocking ransomware prior to any damage, Ransomware Defender blacklists and stops both common and unique ransomware. Once installed, Ransomware Defender stands guard 24/7 utilizing active protection algorithms enhanced with user-friendly alerts and notifications system. Ransomware Defender is fully automated, taking care of all threats via an advanced Scan > Detect > Lock Down mechanism that proactively stands guard to detected threats, and works alongside all main antiviruses and anti-malware products! Ransomware Defender also features a scheduled automatic scan, secured file eraser, lifetime updates and support! More Screehshots: Homepage: https://shieldapps.com/products/ransomware-defender/ or https://www.shieldapps.online/collections/ransomware-defender Download: https://s3.amazonaws.com/shield-products/RansomwareDefender/ShieldApps/RansomwareDefenderSetup.exe or https://s3.amazonaws.com/shield-products/RansomwareDefender/Reseller/RansomwareDefenderSetup.exe Manual/Guide: https://s3.amazonaws.com/partnertemporary/resellerresources/Ransomware+Defender+Operation+Manual.pdf 3.5.8 - 3.x Patch from URET TEAM - igorca: Site: https://yadi.sk Sharecode[?]: /d/CPeTqzwJ3HqiyP
  14. Trend Micro Ransom Buster v12.0.2.1125 File size: 123 MB Reinforce your protection against ransomware. Ransom Buster offers protection from all forms of ransomware and provides an additional layer of security for your computer to protect important files and precious memories. It does not matter whether you have already installed security software. Easy handling After you have selected a protected folder Ransom Buster automatically prevents unknown programs from accessing your protected files. Intelligent Common applications such as Microsoft Office, can automatically access your protected folders, whereby the occurrence of false alarms is minimized. Flexible Access to protected files can be granted easily trusted applications. Compatible Ransom Buster complements your current security software with an additional layer of security. Compact your PC will not slow down and does not require virus pattern updates. automatic updates Do not be more concerned about new threats. Ransom Buster is updated automatically, so your files stay safe - no matter what they are facing. System requirements: Ransom Buster supports Windows 7, Windows 8, Windows 8.1, Windows 10 and newer versions. Ransom Buster is already included in Trend Micro Security products (Antivirus+/Internet Security/Maximum Security) Release Notes Changes in v12.0.2.1125: some minor improvements. Get Ransom Buster for free for a limited time only. Homepage: https://www.ransombuster.trendmicro.com/ Videos: https://www.ransombuster.trendmicro.com/#video Download: https://ti-res.trendmicro.com/ti-res/FST/1202/1124/RansomBuster.exe
  15. After a year of headline-grabbing ransomware campaigns, it looks like hackers are launching the attacks less frequently. Ransomware is malicious software that can lock up your files until you send hackers a ransom payment. It featured in the WannaCry attacks in May and the NotPetya attacks in June, both of which swept through hospitals, banks and governments in several countries. But after July, the rates of ransomware infections dropped sharply, according to a report from Malwarebytes. If the trend continues, it would mean a reprieve from an attack that targeted institutions where time is money, like banks, or where lives could hang in the balance, like hospitals. So why would hackers ditch one of their favorite attacks? It turns out that computer users have a really valuable tool against ransomware: backing up their files. That's according to Chris Boyd, a malware analyst at Malwarebytes, who told ZDNet that publicity around the major ransomware attacks probably helped educate people about how to avoid needing to pay by uploading files to the cloud or a backup device. "This alone, even without additional security precautions, effectively deadens the otherwise considerable sting of the threat," Boyd told ZDNet, a CNET sister site. The company sells a product that detects and blocks malicious software for businesses and regular computer users. That's not to say hackers aren't hacking. They've simply turned to other kinds of attacks to steal money, such as banking trojans and adware, both of which are old-school hacking tricks. Hackers are also still innovating. Adam Kujawa, director of malware intelligence at Malwarebytes, said the biggest trend he observed in December was the rise of "crypto-jacking." That's when websites you visit secretly use your computer's processing power to run a program that creates bitcoins. That lets hackers make money off your computer. And, Kujawa said, "it wears down resources really fast," slowing down your computer's performance. But hey, at least you can still access your files. Source: https://www.cnet.com/news/wannacry-notpetya-ransomware-hackers-2017-less-popular-malwarebytes/
  16. Talos has been working in conjunction with Cisco IR Services on what we believe to be a new variant of the SamSam ransomware. This ransomware has been observed across multiple industries including Government, Healthcare and ICS. These attacks do not appear to be highly targeted, and appear to be more opportunistic in nature. Given SamSam's victimology, its impacts are not just felt within the business world, they are also impacting people, especially if we consider the Healthcare sector. Non-urgent surgeries can always be rescheduled but if we take as an example patients where the medical history and former medical treatment are crucial the impact may be more severe. Furthermore, many critical life savings medical devices are now highly computerized. Ransomware can impact the operation of these devices making it very difficult for medical personnel to diagnose and treat patients leading to potentially life threatening situations. Equipment that might be needed in time-sensitive operations may be made unavailable due to the computer used to operate the equipment being unavailable. The initial infection vector for these ongoing attacks is currently unknown and Talos is investigating this in order to identify it. The history of SamSam indicates that attackers may follow their previous modus operandi of exploiting a host and then laterally moving within their target environment to plant and later run the SamSam ransomware. Previously, we observed the adversaries attacking vulnerable JBoss hosts during a previous wave of SamSam attacks in 2016. Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold. There are no differences between the encryption mechanism used by this current SamSam variant compared to older versions. However, this time the adversaries have added some string obfuscation and improved the anti-analysis techniques used to make detection and analysis marginally more difficult. This new variant is deployed using a loader which decrypts and executes an encrypted ransomware payload, this loader/payload model represents an improvement in the anti-forensic methods used by the malware. Samples containing this loader mechanism have been found as far back as October 2017. The wallet used by SamSam for this wave is shared by multiple infected victims as observed by monitoring the wallet at 1MddNhqRCJe825ywjdbjbAQpstWBpKHmFR. We are also able to confirm the first payment into this wallet was received on 25th December 2017 - a nice holiday gift for this adversary. This can be confirmed by observing the first wallet transaction found on the Bitcoin blockchain here. There is a possibility that other Bitcoin wallets are also used but currently Talos is currently unaware of any others. Similar to the previous variants, we believe the deployment of this SamSam variant to be highly manual, meaning an adversary must take manual action in order to execute the malware. The symmetric encryption keys are randomly generated for each file. The Tor onion service and the Bitcoin wallet address are hardcoded into the payload whilst the public key is stored in an external file with the extension .keyxml. Additionally, code analysis didn't find any kind of automated mechanism for contacting the Tor Service address which means that the victim identification with the associated RSA private key must be done either manually or by another adversary tool. Ransom note displayed by SamSam new variant In most ransomware the attackers try to convince affected users that they have the ability to decrypt the data after the payment is made. SamSam is no different here and even displays a disclaimer as seen in the above screenshot, stating 'we don't want to damage our reliability' and 'we are honest'. To this end SamSam adversaries offer free decryption of two files and an additional free key to decrypt one server. Once again SamSam actors show their ability to monitor and laterally move through the network by pointing out they will only provide a key if they believe the server is not an important piece of infrastructure. As with previous versions of SamSam they are advising that messaging the attackers can be performed via their site. The "Runner" The adversary has changed their deployment methodology and now they use a loader mechanism called "runner" to execute the payload. Upon execution, the loader will search for files with the extension .stubbin in its execution directory, this file contains the SamSam encrypted .NET Assembly payload. Upon reading the file, the loader decrypts the payload with the password supplied as the first argument and executes it, passing the remaining arguments. The loader is a very simple .NET assembly with no obfuscation. Comparing both the Initialization Vector (IV) and the code structure it seems like it may have been derived from an example posted on the Codeproject.com website. As you can seen in the images below, the IV used for the Rijndael encryption is the same in both implementations (posted code in hexadecimal, reversed code in decimal due to decompiler implementation). Posted code Reversed code At the code level looking specifically at the function 'Decrypt', it is obvious that the code structure in the Codeproject source and the latest SamSam runner sample is the same (comments from the posted code were removed). Encryption routine source code comparison The Payload Previous versions of SamSam put some effort into the obfuscation of the malware code by encrypting strings with AES. The new version also obfuscates functions, class names and strings, including the list of targeted file extensions, the help file contents and environment variables, this time using DES encryption with a fixed hard-coded key and the IV. Once again, the adversary has put more effort into preventing the forensic recovery of the malware sample itself rather than only relying on the obfuscation the running malware code, which allowed us to reverse engineer this sample. As mentioned before, the password to decrypt the payload is passed as a parameter to the loader, which reduces the chances of obtaining the payload for analysis. Previous versions of SamSam had an equivalent method for making payload access difficult by launching a thread that would wait 1 second before deleting itself from the hard disk. The comparison of the main encryption routines between the old and the new samples indicates that this version of SamSam is similar enough to have high confidence that it belongs to the same malware family. Encryption Routine Comparison While previous SamSam versions used the API call DriveInfo.GetDrives() to obtain the list of available drives, this new version has the drive letters hardcoded. After checking that a drive is ready it starts a search for targeted files on the non-blacklisted folder paths. The new variant keeps the same list of targeted file extensions as some of the previous ones. It adds a few new entries to the list of paths not to encrypt, which includes user profiles "All Users", "default" and the boot directory. This is in tune with most ransomware which attempt to preserve the operability of the victim's machine. If the machine operation is so damaged that the system cannot be booted then the victim will be unable to pay, whereas if they keep the machine able to function, with limited access to files/folders, then they have a greater chance of a victim paying for recovering their important files and documents. Just like previous versions of SamSam the new version is especially careful to make sure that there is enough space on the current drive to create the encrypted document, thus avoiding any corruption that would lead to irrecoverable encryption. Unlike most ransomware, SamSam does not delete Volume Shadow Copies and creates an encrypted version of the original file which is then deleted using the regular Windows API. Although unlikely, due to block overwriting, recovery of the original files from the versions of affected folders saved by the operating system may be possible. Profitability In identifying the scope of this SamSam campaign, Talos analyzed the Bitcoin wallet addresses used by the attackers in each of these attacks. As of the time of this writing, the attackers have received approximately 30.4 BTC which equals $325,217.07. As previously mentioned, it is possible that the attackers are leveraging multiple bitcoin wallets, however Talos has not observed any other than the one listed here being used in these attacks. Recommendations As the specific initial threat vector is not known at this time, best practices should be implemented to minimize risk to organizations. Talos has outlined several best practices that should be considered in a previous blog related to defending against ransomware related threats. In accordance with best practices protocols like SMB or RDP should never be internet facing. Article
  17. A new form of ransomware attempts to trick victims into installing it with the lure of quickly profiting from cryptocurrency -- before encrypting their files and demanding Monero for the decryption key. 'SpriteCoin' is advertised on forums as a new cryptocurrency which is "sure to be profitable" for users -- when it is anything but. Those who fall for the scam -- which is likely to have been designed to take advantage of the publicity around bitcoin and the blockchain -- will find their Windows system infected with ransomware. To add insult to injury, if the user infected user pays the 0.3 Monero (around $100 at the time of writing) ransom, they're delivered additional malware with capabilities that certificate harvesting, image parsing, and the ability to activate the victim's webcam. Uncovered by researchers at Fortinet, SpriteCoin is advertised on forums and requires a degree of social engineering in order to successfully compromise targets. While many forms of ransomware are delivered through phishing emails, this form is delivered as a cryptocurrency wallet which the user is told contains SpriteCoin. It's one of the oldest cybercriminal tricks in the book: luring victims in with the prospect of a get quick rich scheme. Once the user runs the .exe file, they're asked to enter a wallet password, before being told that the file is downloading the blockchain. In reality, this isn't happening at all: the ransomware is running the encryption routine, adding a '.encrypted' suffix to any affected files. The user's Chrome and Firefox credential stores are raided during this process and sent to a remote website, likely putting passwords in the hands of the attackers. Once the process is complete, the victim is presented with a ransom note, demanding a 0.3 Monero payment in order to retrieve their files. The note contains links to information about what Monero is, how to purchase it, and how to pay, as well as a warning that if the program is deleted the files will remain decrypted forever. The ransom figure is low compared to many forms of ransomware, which now often demand payments of hundreds or thousands of dollars. It could be that the attackers ask for a relatively low ransom demand because SpriteCoin is a test for new ransomware delivery mechanisms. "In this instance, it seems like the intent was not just about money. What we infer is that the intent is not about the amount of money, but possibly about proof of concept or testing new delivery mechanisms, and to see how many people would fall for it," Tony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, told ZDNet. "This is very similar to when attackers would test to see how effective or fast a worm would spread before really launching it. This could be the same concept." Those behind the SpriteCoin ransomware attempt to offer the victim assurance that payment will result in the return of their files because "if we didn't, you could tell others not to pay", adding: "so trust us, will return your files". However, it seems unlikely that victims will actually get their documents back. If they do decide to pay up for the decryption key, what they actually receive is additional malware with the ability to activate webcams and parse certificates. "The note is really encouraging the victim to 'initiate payment of the ransom' in order to get the secondary malicious payload dropped," said Giandomenico. While researchers haven't been able to fully analyse this malware, it's unlikely that suffering from additional compromises can be anything but bad for the victim. SpriteCoin isn't the first form of ransomware to ask for payment in Monero. The popularity of bitcoin -- and the associated increase in transaction fees and delays receiving payments -- is causing problems for cybercriminals who use it to collect ransom demands. As a result, some ransomware distributors are shifting their business model away from bitcoin and to other cryptocurrencies like Monero. source
  18. Hancock Health fell victim to a cyber attack Thursday, with a hacker demanding Bitcoin to relinquish control of part of the hospital’s computer system. Employees knew something was wrong Thursday night, when the network began running more slowly than normal, senior vice president/chief strategy and innovation officer Rob Matt said. A short time later, a message flashed on a hospital computer screen, stating parts of the system would be held hostage until a ransom is paid. The hacker asked for Bitcoin — a virtual currency used to make anonymous transactions that is nearly impossible to trace. The hospital’s IT team opted to immediately shut down the network to isolate the problem. The attack affected Hancock Health’s entire health network, including its physician offices and wellness centers. Friday afternoon, Hancock Health CEO Steve Long confirmed the network was targeted by a ransomware attack from an unnamed hacker who “attempted to shut down (Hancock Health’s) operations.” Hospital leaders don’t believe any personal medical information has been compromised, Long said. Long declined to disclose details of the attack, including how much ransom has been requested. The attack amounts to a “digital padlock,” restricting personnel access to parts of the health network’s computer systems, he said. The attack was not the result of an employee opening a malware-infected email, a common tactic used to hack computer systems, he said. The attack was sophisticated, he said, adding FBI officials are familiar with this method of security breach. “This was not a 15-year-old kid sitting in his mother’s basement,” Long said. Protecting patients Notices posted Friday at entrances to Hancock Regional Hospital alerted visitors to a “system-wide outage” and asked any hospital employee or office using a HRH network to ensure all computers were turned off. Doctors and nurses have reverted to using pen and paper for now to keep patients’ medical charts updated. Long said he wasn’t aware of any appointments or procedures that were canceled directly related to the incident, adding Friday’s snowy weather contributed to many cancellations. Most patients likely didn’t notice there was a problem, nor did the attack significantly impact patient care, Long said. Hospital staff members worked with the FBI and a national IT security company overnight and throughout the day Friday to resolve the issue. Long said law enforcement has been acting in an “advisory capacity,” and declined to release details about the plan going forward, including whether the hospital is considering paying the ransom. Long commended his staff, especially IT workers, who quickly identified the problem Thursday evening. “If I was going through this with anybody, this is the team I would want to go through this with because I know what the outcome is going to be,” he said. Leaders updated hospital employees, totaling about 1,200 people, throughout the day Friday and took steps to be accommodate both patients and staff, including offering free food in the hospital cafeteria all day, Long said. Long said if there is any suggestion private patient information has been compromised, hospital officials will reach out to those affected, though he doesn’t expect that to become an issue. “We anticipate questions,” he said. “This is not a small deal.” A growing problem Ransomware attacks like the one at Hancock Health are growing more common, according to experts in the field of information technology and cybersecurity. Some 4,000 ransomware attacks have occurred everyday since 2016, according to a report by the federal Department of Justice — a 300 percent increase from the roughly 1,000 attacks per day in 2015. Hackers often use phishing techniques — posing as a legitimate company or source the user recognizes — to break into a person’s or company’s computer and take it over, said Von Welch, the director of Indiana University’s Center for Applied Cybersecurity Research in Bloomington. Rather than stealing private information stored on the computer and using or selling it, hackers who engage in ransomware turn the tables on their victims and refuse to give back control of the device unless someone pays up, Welch said. It’s “particularly nasty” when hospitals fall victim to a ransomware attack because it can completely cripple the medical facility’s ability to help people, Welch said. Depending on what’s been compromised, hospitals can’t check patients in or gain access to certain essential equipment, he said. Long said the hospital’s equipment continued to function normally Friday, though he’s troubled someone would target people in need of medical care, when many are at their most vulnerable. “That somebody would do this to a hospital really boggles the mind,” Long said. Hacker attacks in Indiana and elsewhere At least one other Indiana hospital and government unit have fallen victim to similar attacks in recent years. In November 2016, hackers in Anderson executed a similar cyber-attack on Madison County government servers. Criminals uploaded a computer virus to county officials’ network that restricted officials’ access to confidential files. The hackers then withheld the encryption code – which would allow county officials to retrieve the locked data – for a $200,000 ransom. Madison County’s insurance carrier recommended officials pay the demands, which they did, regaining access to their system. Six months earlier, hackers targeted a healthcare facility in Auburn, Indiana, where Dekalb Health’s administrative servers were infected with ransomware. The threat caused only a minor disruption; the ransom was never paid, and most servers were brought back online shortly after the malware attack, hospital officials said in a news release issued at the time. Hancock Health had policies in place for such an attack, knowing digital thieves are always on the lookout for a target, Long said. “Unfortunately,” he said, “we were probably next on the list.” Article
  19. Bitdefender 2018 Build 22.0.12.161 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: https://forum.bitdefender.com/index.php?/topic/77459-latest-changelog/ A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2018 Bitdefender Internet Security 2018 Bitdefender Antivirus Plus 2018 Platform: x86, x64 Version: 22.0.12.161 This version fixes the following issues: Fixed an issue with Active Threat Defense not activating Fixed an issue where the product would show "Last Update Never" Fixed an issue where the offline weekly updates would not detect Bitdefender 2018 Fixed an issue where Google would report SafePay is an outdated browser Fixed an issue where Custom Scans would not be saved after switching to Aggressive Fixed an issue where SafePay couldn't save bank statements(PDF) on hsbc.co.uk The following improvements were included: Wallet's compatibility with several websites Several Improvements to the in-product Support Tool Several interface improvements Various Install Engine optimizations Various SafePay optimizations and security improvements Several Firewall improvements Several Advanced Threat Defense improvements Improved compatibility with upcoming Windows release Several OneClick Optimizer improvements KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2018 22.0.12.161 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2018 22.0.12.161 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2018 22.0.12.161 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2018 Offline Installation Guide: Bitdefender 2018 AV Plus / Internet Security / Total Security - Standalone Installers [Windows]: 32bit [x86]: https://download.bitdefender.com/windows/desktop/connect/cl/2018/all/bitdefender_ts_22_32b.exe 64bit [x64]: https://download.bitdefender.com/windows/desktop/connect/cl/2018/all/bitdefender_ts_22_64b.exe Bitdefender Agent - 2018 - Universal [Same Agent for AV Plus / IS / TS]: Note: Bitdefender Agent installer supports both x86 & x64 architecture. Note: Bitdefender Agent installer is the same for Antivirus Plus / Internet Security / Total Security. Direct Download: https://flow.bitdefender.net/connect/2018/en_us/bitdefender_windows.exe Install Notes: Precaution Note: If you've already installed older version of Bitdefender[incl. 2017/2016 version], we are sure that you'll lose your settings. Please take note of configuration, settings. whitelisted files and links Download and Install Bitdefender Agent. When it starts downloading the install files, Stop/Close it immediately. Note: Check whether there the Agent is installed only once in "Add/Remove Programs" or "Programs & Features". Note: Check in "Program Files" for folder named "Bitdefender Agent". Now, start installing offline installer and proceed with installation. Note: Please choose respective download link based on architecture x86/x64 for smooth installation. Note: Don't worry about AV Plus/IS/TS. The installer automatically modifies the installation depending on the license you entered. Once installation is done, configure accordingly for best protection and to avoid files from getting deleted. Configure Whitelist files and links if you have any. It is better to keep note of the configured settings for future use. User Guide: Bitdefender Antivirus Plus 2018: https://download.bitdefender.com/resources/media/materials/2018/userguides/en_EN/bitdefender_av_2018_userguide_en.pdf Bitdefender Internet Security 2018: https://download.bitdefender.com/resources/media/materials/2018/userguides/en_EN/bitdefender_is_2018_userguide_en.pdf Bitdefender Total Security 2018: https://download.bitdefender.com/resources/media/materials/2018/userguides/en_EN/bitdefender_ts_2018_userguide_en.pdf Uninstall Tool: Uninstall Tool For Bitdefender 2018 Products: https://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2018_UninstallTool.exe NOTE: Bitdefender 2018 Uninstall Tool require KB2999226. If you didn't install, you'll get error "api-ms-win-crt-runtime-l1-1-0.dll" missing. You can download it here - KB2999226 Uninstall Tool For Bitdefender 2017 Products: https://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2017_UninstallTool.exe NOTE: Bitdefender 2017 Uninstall Tool require KB2999226. If you didn't install, you'll get error "api-ms-win-crt-runtime-l1-1-0.dll" missing. You can download it here - KB2999226 Uninstall Tool For Bitdefender 2016 Products: http://www.bitdefender.com/files/KnowledgeBase/file/Bitdefender_2016_UninstallTool.exe Uninstall Tool For Bitdefender 2015 / 2014 / 2013 Products: http://www.bitdefender.com/files/KnowledgeBase/file/The_New_Bitdefender_UninstallTool.exe Uninstall Tool For Bitdefender 2012 Products and Earlier: http://www.bitdefender.com/files/KnowledgeBase/file/BitDefender_Uninstall_Tool.exe
  20. Bitdefender 2018 Build 22.0.13.169 Overview: The Bitdefender proprietary technologies, based on innovative ideas and leading trends in the information security industry, continue to be internationally recognized as the best Internet security software. The independent organizations which reward BitDefender outstanding results through numerous prizes and certifications are: Av-Test.org, Virus Bulletin, ICSA Lab, Checkmark, PC World Top 100, just to name but a few. Homepage: https://www.bitdefender.com/ Changelog: N/A Update info shared by @boulawan A new Bitdefender Classic Line product update has been released with the following details: Affected software: Bitdefender Total Security 2018 Bitdefender Internet Security 2018 Bitdefender Antivirus Plus 2018 Platform: x86, x64 Version: 22.0.13.169 KB is unavailable at this time. Downloads: Online Installers: Bitdefender Antivirus Plus 2018 22.0.13.169 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_antivirus.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_antivirus.exe Bitdefender Internet Security 2018 22.0.13.169 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_isecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_isecurity.exe Bitdefender Total Security 2018 22.0.13.169 Online: https://download.bitdefender.com/windows/installer/en-us/bitdefender_tsecurity.exe XP | Vista: https://download.bitdefender.com/windows/installer/en-us/xp-vista/bitdefender_tsecurity.exe Offline Installers and Install Guide: Bitdefender 2018 Offline Installation Guide:
  21. ShieldApps’ Ransomware Defender deals with known ransomware in a way no other solution can. Specially designed for detecting and blocking ransomware prior to any damage, Ransomware Defender blacklists and stops both common and unique ransomware. Once installed, Ransomware Defender stands guard 24/7 utilizing active protection algorithms enhanced with user-friendly alerts and notifications system. Ransomware Defender is fully automated, taking care of all threats via an advanced Scan > Detect > Lock Down mechanism that proactively stands guard to detected threats, and works alongside all main antiviruses and anti-malware products! Ransomware Defender also features a scheduled automatic scan, secured file eraser, lifetime updates and support! More Screehshots: Homepage: https://shieldapps.com/products/ransomware-defender/ Download: https://s3.amazonaws.com/shield-products/RansomwareDefender/ShieldApps/RansomwareDefenderSetup.exe 3.5.8 - 3.x Patch from URET TEAM - igorca: Site: https://yadi.sk Sharecode[?]: /d/CPeTqzwJ3HqiyP Installer + Patch: Site: https://www.multiup.eu/en Sharecode[?]: /download/3929b572efc906983914a46208db9223/Ransomware.Defender.3.6.6.zip
  22. Sinopec's (600028.SS) Shengli Oilfield said it will cut its Internet connection for some of its offices after a malicious ransom software attacked of 21 of its Internet terminals, the company said on its official website on Monday. Sinopec's Shengli Oilfield became the latest victim of the ransomware that hobbled big business across the globe. Shengli Oilfield, which began pumping oil in 1964, was one of the largest sources of production for Sinopec. The company said it will cut the Internet to all its computers that have not installed a virus protection system. Article
  23. A security researcher with the nickname “Racco42‏” found a new campaign that was pushing a new Locky variant that spread through spam emails that contain subject lines similar to E [date](random_num).docx. For example, E 2017-08-10 (698).docx. The message body contains “Files attached. Thanks”. According to Racco42‏: “#locky is back with “E 2017-08-09 (xxx).doc” campaign https://pastebin.com/Qbr66946″ ” Email sample: ————————————————————————————————————– From: [email protected][REDACTED] To: [REDACTED] Subject: E 2017-08-09 (87).xls Date: Mon, 24 Jul 2017 07:51:08 +0000 Attachment: “E 2017-08-09 (87).zip” -> “E 2017-08-09 (443).vbs” ————————————————————————————————————– – sender address is faked to look to be from same domain as recepient – subject is “E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>” – email body is empty – attached file “E 2017-08-09 (<2-3 digits>).zip” contains file “E 2017-08-09 (<2-3 digits>).vbs” a VBScript downloader “ These emails have a compressed file attached (zip) that use the same subject name, the attached file holds a VBS downloader script. The script contains one or more URLs that will be used to download the Locky ransomware executable to the Windows %Temp% folder and then execute it. Once it executed, it will encrypt all files. The new Locky ransomware will then modify the file name and then add the “.diablo6.”, after that, it will remove the downloaded file (exe) and then display a ransom note to the victim that presents information on how to pay the ransom. Sadly, it is not possible to recover the original files unless you pay a ransom of 0.49 Bitcoin (about $1,600 USD). < Here >
  24. If you want to know what some ransomware developers think about the USA, you can get a good idea from the ransom note of the Sanctions Ransomware that was released in March. Dubbed Sanctions Ransomware due to the image in the ransom note, the developer makes it fairly obvious how they feel about the USA and their attempts to sanction Russia. Sanctions Ransom Note I was tipped off about this new ransomware after someone was infected and had their files encrypted with the .wallet extension. This extension is typically associated with the Crysis/Dharma ransomware, but according to Michael Gillespie, the creator of ID-Ransomware, the files encrypted by Sanctions do not contain the standard Dharma/Crysis file markers as shown below. Crysis/Dharma File Marker While I have not been able to find a sample of the actual ransomware, I was able to find a copy of the ransom note on ID-Ransomware. This ransom note is called RESTORE_ALL_DATA.html and contains a link to a satoshibox page where the ransomware developer is selling the decryption key for 6 bitcoins. This equates to about $6,500 USD at bitcoin's current rate. Satoshibox Decryption Key Purchase As this is a very large ransom payment and due to the fact that this ransomware is not in wide circulation, it leads me to believe that this ransomware developer may be conducting targeted attacks. Unfortunately, this is all the information we have at this time. At some point we will find a sample and be able to provide more information as we further analyze this ransomware. Source
  25. When WannaCry hit, the news sent shivers down the world. Reports of hospital outages and super secret tools used by the NSA (Equation Group) that could hack into any version of Windows was released to the public. During this period of time, the community warned of more waves were soon to come. This started around June 26, 2017 primarily in Ukraine and Binary Defense started to see some of the first large infections of Petya (or some calling it NotPetya) happening at other geographic locations early this morning. On the surface, this appeared to be another EternalBlue/MS17-010 campaign being used on the surface and a new variant. No-one at the time knew exactly how the infection methods were being used, but multiple companies jumped the gun and reports claimed multiple avenues including HTA attack vectors, email campaigns with attached word and excel documents. The motives of the malware authors are unknown – the interesting part is the geographic/demographics of who this specific attack was designed for (Ukraine). Additionally, the software was designed well – unlike WannaCry which was rudimentary in nature but had a terrible backend infrastructure to make payments for the ransom. While we can’t determine where this specific attack came from, the motives of targeting Ukrainians, the development, and how it was deployed would indicate possible nation state motivations and not ransomware. Regardless, it had a large impact in a short period of time and caused substantial damage to organizations impacted by this. So What Really Happened? A third party software called M.E. Doc (MeDoc) which, is an accounting software primarily used in the Ukraine was compromised. With any of these early warning signs, there is a lot of information and data to cut through before actually coming to a factual conclusion. Other vectors such as documents, excel, and obfuscated HTA’s seem to be confused reports on another campaign called the Loki Bot. Based on the analysis, if any organization had MeDoc installed, they would be impacted as soon as it was updated. MeDoc is a required software out of Ukraine – so there was a large footprint here from Ukraine-based companies and orgnaizations that do business in Ukraine. There is substantial evidence supporting this as the main method and has been confirmed by multiple organizations including Binary Defense. Initial reports look as if a hosting server upd.me-doc.com.ua (owned by me-doc) pushed an update which was 333KB in size. Once the file was updated, this is when much of the magic started to happen. Why Everyone Freaked Unlike WannaCry, Petya used multiple techniques in order to compromise hosts in a very fast timeframe. The first technique was using the EternalBlue (MS17-010) exploit. While this was occurring, other scenarios happened on the system: 1. An older version of psexec v1.98 is dropped onto the system under C:\Windows\dllhost.dat. Why the version is important is that in version 2.1 of psexec, encryption was introduced for credential authentication. If monitoring command line arguments in v1.98, you can see the clear-text passwords for authentication in this specific variant (good indicator of actual accounts that were used and the passwords compromised). 2. A technique used by Mimikatz and other tools leveraging lsadump to dump passwords from memory is used in order to extract clear-text passwords from memory. These are parsed, and then used by WMIC and PSEXEC. We can clearly see clear-text passwords being used when executing the WMIC and PSEXEC command line. 3. PSEXEC and WMIC are used in order to attempt to spread across the network using the extracted credentials. For both PSEXEC and WMIC methods to work, the ADMIN$ hidden share needs to be exposed and successful authentication in order to connect to the remote system. Below is a screenshot of the service creation starting for psexec: 4. A file is placed under C:\Windows\perfc.dat which contains the bulk of the code to perform post exploitation scenarios including encryption and additional lateral movement using WMIC and PSEXEC. Once perfc.dat written to disk, perfc.dat is called by rundll32.exe and used to import into memory and begin its attacks. Once successful, a scheduled task is run: schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR “C:\Windows\system32\shutdown.exe /r /f” /ST XX:XX” Below is the image once your system is forced to reboot: The system would restart in about an hour. During this period of time specific file types are encrypted. Below is a screenshot of HoneyDocs being overwritten on the filesystem: For the rundll32, you can clearly see the import and execution of code: Note that the clear-text passwords of username/pw are presented due to the legacy version of psexec. Since the time of the ransomware, the email address (wowsmith123456 [at] posteo.net) that was used to contact for the recovery key was suspended and recovering the files is not possible (at this time). This means do not pay the ransom. The ability to extract clear-text passwords from memory, and move laterally using psexec and WMI on top of using EternalBlue make this specific ransomware attack particularly damaging. We have seen upwards to 5,000 endpoints compromised in less than 15 minutes. These techniques are often used by attackers on a regular basis, but the automation components and destructiveness puts this variant into a whole different ballgame. Again, these are all techniques leveraged by more targeted attacks and known for years. The tactics and automation used in these cases and the “wormable” component of EternalBlue make this specific Ransomware extremely damaging for organizations and the reason for the panic. How to Protect First, one of the main samples and hashes can be found at VirusTotal. SHA256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 Second, through our analysis, Binary Defense discovered that by either placing the file C:\Windows\perfc.dat or by denying filewrites to C:\Windows\perfc.dat – this effectively killed the effectiveness of the ransomware and stopped the replication/spreading of the worm: This can be accomplished through group policy by creating a file in the directory. If the perfc.dat file is in place, the malicious software does not overwrite and effectively fixes the issue. Image screenshot credit @TonikJDK and @0daydorpher This attack solely relied off of a user having administrative level rights on the system that was impacted and from there moving across the network with those credentials. Account/password re-use needs to be addressed and having limited user rights on systems would have reduced the impact and effectiveness of this attack. What this Attack Tells Us What this attack tells us is that automation around lateral movement and targeted attacks is a problem. Password reuse continues to be the number one method for attacks to move laterally to different systems. Users that have Internet access and have local administrative rights is a complete pandemic in a number of organizations. This needs to change. What we can take away from these specific attacks is that we need to focus on best practices. Everything that has been touted in the security industry as a way to enhance the overall security program would have worked in this scenario. 1. Proper patch management – stopped the EternalBlue method 2. No Administrative level rights – stopped the propagation and clear-text extraction of hashes. The file dropping of perfc.dat is only a temporary solution. More proactive measures to eliminate the threat need to be investigated. If proven true, the MeDoc will be slightly contained to Ukrainian companies or organizations that do business in the Ukraine. This could have been much. MUCH worse. Special thanks to a number of folks that helped with up-to-date information during the process: @HackingDave (Binary Defense CTO), @0xAmit, and @HackerFantastic Misc. Indicators and Information WMI call: process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1 Targeted Extensions (@GasGeverij): .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip. Source
×