Ransomware and Recent Variants

ronjor · Nov 30, 2016

Cerber Ransomware Delivered via Google, Tor2web

By Eduard Kovacs on November 30, 2016
A new version of the Cerber ransomware has been delivered by cybercriminals using spam emails, Google links, the Tor2web proxy service and malicious macro-enabled Word documents.
Click to expand...

ronjor · Dec 1, 2016

Kelihos Botnet Spreading Troldesh Ransomware

By Ionut Arghire on December 01, 2016
The Kelihos botnet has switched to dropping ransomware onto targeted computers, and is currently spreading the Troldesh malware family, security researchers warn.
Click to expand...

itman · Dec 1, 2016

Minimalist said: ↑

Customers of Liechtenstein banks blackmailed by ransomware

http://securityaffairs.co/wordpress/53891/malware/liechtenstein-banks-ransomware.html
Click to expand...

FYI - this attack was not ransomware per se. The hackers stole bank account info which they are threatening to disclose if a "ransom" is not paid. No account holders PCs or the like were encrypted.

Minimalist · Dec 1, 2016

itman said: ↑

FYI - this attack was not ransomware per se. The hackers stole bank account info which they are threatening to disclose if a "ransom" is not paid. No account holders PCs or the like were encrypted.
Click to expand...

Yes, you're right. They even changed article title to: "Customers of Liechtenstein banks blackmailed after data breach"

lotuseclat79 · Dec 2, 2016

New decryption tool for Crysis ransomware

Since it first appeared, ransomware’s profitable business – in short, compromising and encrypting data belonging to companies and users and requesting payment in exchange for the restoration of infected files –has grown rapidly.

One of the threats that has had a significant impact and infected a considerable number of users worldwide was the family detected by ESET solutions as Win32/Filecoder.Crysis. However, and luckily, ESET has developed a free tool to decrypt files and recover the information that might have been compromised.
Click to expand...

-- Tom

ronjor · Dec 7, 2016

Locky Variant Osiris Distributed via Excel Documents

By Ionut Arghire on December 07, 2016
The infamous Locky ransomware has once again switched to a new extension to append to encrypted files, but reverted to malicious Office documents for distribution, security researchers have discovered.
Click to expand...

ronjor · Dec 8, 2016

Petya Variant Goldeneye Emerges

By Ionut Arghire on December 08, 2016
A variant of the Petya ransomware has emerged recently, which has been renamed to Goldeneye, but shows almost no differences when compared to the original, security researchers warn.
Click to expand...

Minimalist · Dec 9, 2016

Ransomware gives free decryption keys to victims who infect others

Researchers say they have uncovered ransomware still under development that comes with a novel and nasty twist. Infected victims of the ransomware known as Popcorn Time, have the option to either pay up, or they can opt to infect two others using a referral link. If the two new ransomware targets pay the ransom, the original target receives a free key to unlock files on their PC.
Click to expand...

https://threatpost.com/ransomware-gives-free-decryption-keys-to-victims-who-infect-others

Victek · Dec 9, 2016

Minimalist said: ↑

Ransomware gives free decryption keys to victims who infect others

https://threatpost.com/ransomware-gives-free-decryption-keys-to-victims-who-infect-others
Click to expand...

Good luck to anyone who tries this as they will be participating in a felony.

Dermot7 · Dec 10, 2016

In March of this year, Unit 42 investigated the SamSa actors that were attacking the healthcare industry with targeted ransomware. With this group being active for roughly one year, we decided to revisit this threat to determine what, if any, changes had been made to their toolset. In doing so, we discovered that it’s been a very profitable year for SamSa, with an estimated $450,000 in ransom payments from samples we have identified. This blog serves to discuss changes made by this group and the SamSa malware family since we last discussed them.
Click to expand...

http://researchcenter.paloaltonetworks.com/2016/12/unit42-samsa-ransomware-attacks-year-review/

Minimalist · Dec 20, 2016

New Decryptor unlocks Cryptxxx V3 files

Researchers have neutralized the threat of the latest strain of the CryptXXX v.3 ransomware, releasing a decryption tool for unlocking files, and have added it to the RannohDecryptor, a free utility hosted by Kaspersky Lab’s No Ransom Project.
Click to expand...

https://threatpost.com/new-decryptor-unlocks-cryptxxx-v3-files

ronjor · Dec 22, 2016

No slowdown in Cerber ransomware activity as 2016 draws to a close

msft-mmpcmsft-mmpcDecember 21, 2016
As everybody else winds down for the holidays, the cybercriminals behind Cerber are busy ramping up their operations.
Following our discovery of a spam campaign that takes advantage of holiday shopping, we found two new campaigns that continue distributing the latest variants of Cerber ransomware. These campaigns are the latest in a series of persistent cybercriminal efforts that keep Cerber constantly active.
Click to expand...

ronjor · Dec 28, 2016

Destructive KillDisk Malware Turns Into Ransomware

By Eduard Kovacs on December 28, 2016
A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain.
Click to expand...

ronjor · Jan 4, 2017

Pseudo-Darkleech Remains Prominent Distributer of Ransomware

By Ionut Arghire on January 04, 2017
Regardless of these changes, however, the infection pattern associated with the pseudo-Darkleech campaign remains the same. When a victim visits a compromised website with a malicious injected script, they are redirected to an EK landing page designed to fingerprint the computer to find vulnerable applications and exploit them, after which the machine is infected with ransomware.
Click to expand...

ronjor · Jan 5, 2017

FireCrypt Ransomware Packs DDoS Code

By Ionut Arghire on January 05, 2017
Ransomware has become a menace for both consumers and enterprises, and malware authors appear determined to take the threat to the next level by adding new capabilities, such as distributed denial of service (DDoS) functionality.
Click to expand...

Minimalist · Jan 5, 2017

Koolova Ransomware decrypts files if victims read 2 posts about Ransomware

Now a new strain of ransomware dubbed Koolova appeared in the wild with a very singular feature. The Koolova ransomware will decrypt the encrypted files for free it the victim read two articles about how to avoid ransomware infection.
Once the Koolova ransomware infected a machine, it encrypts the files and then displays a warning screen where the text instructs the victim to open and read two awareness posts before they can get the ransomware decryption key.
Click to expand...

http://securityaffairs.co/wordpress/55072/malware/koolova-ransomware.html

ronjor · Jan 6, 2017

This ransomware scheme is targeting schools, colleges and head teachers, warn police

By Danny Palmer | January 6, 2017 -- 11:09 GMT (03:09 PST)
Police warn about scam that begins with cybercriminals phoning schools for details of head teachers.
Click to expand...

itman · Jan 9, 2017

ronjor said: ↑

This ransomware scheme is targeting schools, colleges and head teachers, warn police
Click to expand...

Also read about this on bleepingcomputer.com: https://www.bleepingcomputer.com/ne...nd-tricking-staff-into-installing-ransomware/

Very effective spear phishing attack. I guess educators in the UK haven't heard of the concept of two factor authentication? If you get an unsolicited call about receiving an e-mail on the subject matter mentioned, you call the source organization mentioned for a second verification. Or in the wild world of digital communication, never ever trust anything.

wat0114 · Jan 9, 2017

itman said: ↑

Also read about this on bleepingcomputer.com: https://www.bleepingcomputer.com/ne...nd-tricking-staff-into-installing-ransomware/

Very effective spear phishing attack.
Click to expand...

Sadly true, but it shouldn't be. Unfortunately there're enough people stupid enough to fall for it, including the teachers who open the zipped attachments.

If you get an unsolicited call about receiving an e-mail on the subject matter mentioned, you call the source organization mentioned for a second verification.
Click to expand...

Better yet, hang up on them. I suppose, if they have the time and patience, they could even ask for a name and callback number.

Or in the wild world of digital communication, never ever trust anything.
Click to expand...

Agreed!

From the bleepingcomputer article:

According to ActionFraud experts, the scammers are easy to recognize because they make a simple mistake. During their phone calls, they claim to be from the Department of Education, but the Department's real title is the Department for Education. This small detail could help British schools identify scammers during their initial calls.
Click to expand...

It's as though they are implying if they got the title right, they should be trusted!? Unbelievable. Anyone calling and claiming to be from an official department asking for email addresses of others should immediately be treated as suspicious, even if they happen to get the official title right, and especially if identity of the caller can't be verified.
Click to expand...

Minimalist · Jan 10, 2017

The Los Angeles Community College District paid a $28,000 ransom to decrypt its files

A Los Angeles school has paid a US$28,000 ransomware after crooks compromised its network. Cyber criminals encrypted computer services, including email systems, at the Los Angeles Community College District. The ransomware used in the attack encrypted hundreds of thousands of files on New Years Eve. This is one of the highest publicly-known ransomware demands to be paid.

The school opted to pay the ransom because it failed to backup its data belonging 1,800 staff and 20,000 students.
Click to expand...

http://securityaffairs.co/wordpress/55228/malware/los-angeles-community-college-district.html

Minimalist · Jan 12, 2017

Spora Ransomware allows victims to pay for immunity from future attacks

Security experts from Emsisoft spotted a new strain of ransomware dubbed Spora that implements a singular extortion mechanism, it allows potential victims to pay for immunity from future attacks.
According to the experts, the Spora ransomware appears well-written, it has a professional website for payment and offers several options to the victims that can pay to recover files, to remove the malware, and to gain immunity from future attacks.
Click to expand...

http://securityaffairs.co/wordpress/55260/malware/spora-ransomware.html

Peter2150 · Jan 12, 2017

Minimalist said: ↑

Spora Ransomware allows victims to pay for immunity from future attacks

http://securityaffairs.co/wordpress/55260/malware/spora-ransomware.html
Click to expand...

Yep and how does that help them with the other snakes out there.

Minimalist · Jan 12, 2017

Peter2150 said: ↑

Yep and how does that help them with the other snakes out there.
Click to expand...

I don't think that paying immunity fee will protect against another infections, but I wouldn't be surprised if some of the victims paid for their "immunity".

Peter2150 · Jan 12, 2017

PT Barnum said it best

Minimalist · Jan 12, 2017

You mean a phrase: "There's a sucker born every minute"?
I had to google it and I agree with you

Log in or Sign up

Ransomware and Recent Variants

ronjor Global Moderator

ronjor Global Moderator

itman Registered Member

Minimalist Registered Member

lotuseclat79 Registered Member

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Victek Registered Member

Dermot7 Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

itman Registered Member

wat0114 Registered Member

Minimalist Registered Member

Minimalist Registered Member

Peter2150 Global Moderator

Minimalist Registered Member

Peter2150 Global Moderator

Minimalist Registered Member

Log in or Sign up

Ransomware and Recent Variants

ronjor Global Moderator

ronjor Global Moderator

itman Registered Member

Minimalist Registered Member

lotuseclat79 Registered Member

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

Victek Registered Member

Dermot7 Registered Member

Minimalist Registered Member

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

ronjor Global Moderator

Minimalist Registered Member

ronjor Global Moderator

itman Registered Member

wat0114 Registered Member

Minimalist Registered Member

Minimalist Registered Member

Peter2150 Global Moderator

Minimalist Registered Member

Peter2150 Global Moderator

Minimalist Registered Member

Useful Searches