Ransomware and Recent Variants

Trooper · Jun 3, 2017

itman said: ↑

You probably failed the ICMP echo reply test.

Also note that when you run the GRC Shields Up test, the test is being performed against your router's WAN side ports if you use a router. So it is the router's firewall that is performing port access control; not your PC based firewall.
Click to expand...

That was it exactly. I understand how the test works but. Me being out of it of late forgot that my Asus Router is not my router at the moment, its in access point mode. Had to log into my crappy Verizon Actiontec router and sure enough, ICMP was turned on. Disabled it and all is well again. Thanks man.

itman · Jun 5, 2017

Jaff ransomware server also hosting Dark Web PII fencing operation

Starting in early May, Jaff has proliferated at an incredible rate. A typical Jaff attack starts with a phishing email requesting the recipient download a PDF, which when open prompts the person to click on an additional file which drops the malware.

Forcepoint reported that within a four-hour period, the number of Jaff attacks observed by its systems totaled 13 million, with traffic volumes peaking at nearly 5 million attack emails per hour. Check Point Software Technologies reported that at one point, its global sensors detected an infection rate of approximately 10,000 emails sent per hour. And Cisco Talos reported observing over 100,000 malicious messages over two separate campaigns.

From a volume standpoint this is much larger than WannaCry which infected about 300,000 computers.
Click to expand...

https://www.scmagazine.com/jaff-ran...ark-web-pii-fencing-operation/article/666461/

ronjor · Jun 12, 2017

ronjor said: ↑

Erebus Ransomware Bypasses UAC for Privilege Elevation
Click to expand...

South Korean web hosting company infected by Erebus ransomware

By Ms. Smith, Network World | Jun 12, 2017 7:36 AM PT
An Erebus ransomware attack hit a web hosting company, infecting thousands of South Korean sites. The ransom demand is ridiculously high.
Click to expand...

ronjor · Jun 12, 2017

MacRansom RaaS Potentially Created by Copycats

By Ionut Arghire on June 12, 2017
A newly discovered ransomware family targeting Mac users is using the Ransomware-as-a-service (RaaS) distribution model and uses code copied from previous MacOS ransomware, Fortinet researchers warn.
Click to expand...

itman · Jun 12, 2017

GPAA Ransomware Shows the Depravity of Some Ransomware Developers

I have been following ransomware since they first started becoming popular in 2012 (ACCDFISA) and 2013 (CryptoLocker). For the most part, ransomware developers create generic ransom notes that provide information as to what has happened and payment instructions on how to get files back.

A few times we have seen some really scumbag moves by developers, such as Popcorn Time telling victims to infect other people to possibly get a free decryption key. Today, though, Michael Gillespie discovered a ransom note uploaded to ID-Ransomware that simply left me disgusted.

This ransom note is titled "Save Children" and shows a picture of a starving 2 year old Nigerian orphan who was being given aid by humanitarian worker. This note then goes on to say that the ransomware victim is now part of the fictitious GPAA, or Global Poverty Aid Agency, which they state is a crowdfunding campaign to raise 1000 bitcoins to save children.

What you need to know about the GPAA Ransomware
Fabian Wosar of Emsisoft has looked into this ransomware and has determined that it is not able to be decrypted for free. Therefore, please restore from backups or try restoring from shadow volume copies if at all possible so you do not have to pay these people.

When a file is encrypted it will scramble the file name and append the .cerber6 extension to the encrypted file. For example, a file named test.jpg could be encrypted and renamed as 2BiwaFbX6wlPaDSy.cerber6.

This ransomware does not leave an autorun and deletes the executable after running. It will drop ransom note, as shown above, named !READ.htm in each folder that a file is encrypted and on the Desktop.
Click to expand...

https://www.bleepingcomputer.com/ne...-the-depravity-of-some-ransomware-developers/

Minimalist · Jun 14, 2017

Decryption utility unlocks files encrypted by Jaff ransomware

A weakness discovered in Jaff ransomware by researchers has led to the creation of decryption keys to unlock files locked by the malware.

“We have found a vulnerability in Jaff’s code for all the variants to date. Thanks to this, it is now possible to recover users’ files (encrypted with the .jaff, .wlu, or .sVn extensions) for free,” Kaspersky Lab said in a prepared statement announcing the availability of the decryption keys.
Click to expand...

https://threatpost.com/decryption-utility-unlocks-files-encrypted-by-jaff-ransomware

itman · Jun 14, 2017

Decrypted: Kaspersky Releases Decryptor for the Jaff Ransomware

We are happy to report that the Fedor Sinitsyn, a senior malware analyst at Kaspersky Labs, has discovered a weakness in the Jaff ransomware and was able to release a decryptor for all variants that have been released to date. For those who were infected with the Jaff Ransomware and had their files encrypted with the .jaff, .wlu, or .sVn extensions, this decryptor can recover your files for free.

While using the decryptor, if you have any questions or need support in decrypting your files, please feel free to post in our dedicated Jaff Ransomware Help & Support Topic.
Click to expand...

https://www.bleepingcomputer.com/ne...y-releases-decryptor-for-the-jaff-ransomware/

Minimalist · Jun 15, 2017

Analyzing the Fileless, Code-injecting SOREBRECT Ransomware

Fileless threats and ransomware aren’t new, but a malware that incorporates a combination of their characteristics can be dangerous. Take for instance the fileless, code-injecting ransomware we’ve uncovered—SOREBRECT, which Trend Micro detects as RANSOM_SOREBRECT.A and RANSOM_SOREBRECT.B.
Click to expand...

http://blog.trendmicro.com/trendlab...fileless-code-injecting-sorebrect-ransomware/

ronjor · Jun 20, 2017

ronjor said: ↑

South Korean web hosting company infected by Erebus ransomware
Click to expand...

Korean Hoster Coughs Up $1 Million to Ransomware Extorters

Phil Muncaster UK / EMEA News Reporter , Infosecurity Magazine 20 Jun 2017
A South Korean web hosting firm has agreed to pay over $1m in Bitcoins (BTC) to regain access to its files after it and thousands of businesses it supports were hit by ransomware last week.
Click to expand...

itman · Jun 20, 2017

ronjor said: ↑

Korean Hoster Coughs Up $1 Million to Ransomware Extorters
Click to expand...

Ouch!

Also Linux based:

Nayana was infected by the Erebus ransomware, hitting 153 of its Linux servers and over 3400 customer websites, according to Trend Micro.
Click to expand...

With that kind of money payout, maybe the hackers will shift in mass to Linux platform and leave us Windows users alone.

boredog · Jun 20, 2017

itman said: ↑

Ouch!

Also Linux based:

With that kind of money payout, maybe the hackers will shift in mass to Linux platform and leave us Windows users alone.
Click to expand...

Linux systems have been targeted a lot in the past 10 years. Because the bad guys know there are a lot of Linux based servers world wide. Most of the distros seems to very fast to patch things though. I been running Kubuntu for two years on my sisters computer and she know nothing about computers. When I get the urge I run Mint from a USB stick. It is a very fast OS even run form a USB stick.

Minimalist · Jun 21, 2017

Spotlight on ransomware: Ransomware encryption methods

A ransomware infection is one of the fastest ways to have all of your personal files encrypted and potentially lost forever. Employing encryption makes the criminal’s threat credible and gives malware authors control over your data. With encryption methods employed getting more and more sophisticated, it is becoming harder for the good guys to provide free help.

Follow us as we explain what file encryption is, the different methods ransomware developers use and why understanding encryption is crucial to recovering victims’ files.
Click to expand...

http://blog.emsisoft.com/2017/06/21/ransomware-encryption-methods/

guest · Jun 21, 2017

Trend Micro Ransomware File Decryptor is designed to decrypt files that have been encrypted by 25 families of known ransomware.
[...] is not an automatic scanner and remover.
Instead, it requires you know, or identify, what family of ransomware you are infected with. When you start using the app, you select the ransomware name you're infected with, then choose the file or folder you want to decrypt.
Optionally, you can select "I don't know the ransomware name" and go directly to the file or folders you want to decrypt.
Click to expand...

http://www.majorgeeks.com/files/details/trend_micro_ransomware_file_decryptor.html
or
https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221

itman · Jun 24, 2017

Do porn and your smart phone will go blind ..................

Koler Android Ransomware Targets the US with Fake PornHub Apps

New Koler campaign detected this past week
This extortion tactic was seen this past week by ESET security researcher Lukas Stefanko, who discovered an ongoing campaign that was pushing fake PornHub apps infected with the Koler ransomware, spread via shady adult-themed websites.
Click to expand...

https://www.bleepingcomputer.com/ne...omware-targets-the-us-with-fake-pornhub-apps/

ronjor · Jun 28, 2017

New ransomware, old techniques: Petya adds worm capabilities

msft-mmpcJune 27, 2017
On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.

The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of Ransom:Win32/Petya. This new strain of ransomware, however, is more sophisticated.
Click to expand...

lotuseclat79 · Jun 29, 2017

Ransomware Is a Real Threat, but Don’t Forget the Botnets

There’s a far more potent security threat to worry about.
Click to expand...

-- Tom

Minimalist · Jul 7, 2017

The master key to the original version of the Petya ransomware – not to be confused with the latest and massive Petya/ExPetr outbreak that swept through the Ukraine and parts of Europe last month – has been released, allowing all the victims of previous Petya attacks to unscramble their encrypted files.

According to researchers, the author of the original Petya ransomware, which goes by the pseudonym Janus, made the key available on Wednesday.
Click to expand...

https://threatpost.com/decryption-key-to-original-petya-ransomware-released

Minimalist · Jul 12, 2017

Decrypt latest Nemucod ransomware with Emsisoft’s free decrypter

The Nemucod ransomware family has been around for a while and has gone through several evolutions and changes since then. Previous attempts of extorting money were thwarted by the release of our decrypter to help victims release their files for free.

Amidst the noise of the NotPetya ransomware outbreak, a new variant of Nemucod dubbed NemucodAES was released that made changes to the encryption mechanism as well as introduced a facelift of its ransom note.

Not to be outplayed by cyber criminals our lab promptly went to work and produced a new version of our decrypter to handle NemucodAES.
Click to expand...

http://blog.emsisoft.com/2017/07/12/nemucodaes-ransomware-removal-decrypt/

guest · Jul 14, 2017

360 Ransomware Decryption Tool released. Stay safe from Petya and WannaCry!
To fight against cybercriminals, 360 has created Ransomware Decryption Tool to save computers hijacked by ransomware. This tool can bring back files from more than 80 ransomware. Petya, GoldenEye and their notorious precedent WannaCry are all on the decryption support list.
Click to expand...

https://blog.360totalsecurity.com/en/ransomware-decryption-tool-petya-wannacry-released/

Alternative download:
http://www.majorgeeks.com/files/details/360_ransomware_decryption_tools.html

itman · Jul 15, 2017

Petya malware behavior may change based on AV installed

Researchers found changes in malware behavior when Petya detected certain security products, but experts are unsure why these features might exist.

Bogdan Botezatu, senior e-threat analyst for BitDefender, noted in a white paper that the Petya malware (also referred to as NotPetya, GoldenEye, ExPetr, PetrWrap, etc by various sources) used a different process when attacking a system that has Kaspersky security products on it.

"This process has been inaccurately reported by the research community as potentially destructive to the data stored on the disk drive. This is wrong, as the first 10 sectors of the disk only hold the Master Boot Record [MBR] and nine other empty sectors," Botezatu wrote in the research. "If AVP.exe (a process related to Kaspersky security solutions) is identified on the infected machine, the malware simply overwrites the MBR -- a reversible operation that can be counteracted by booting from an installation medium, then issuing the FIXMBR command. As this command replaces the MBR with a valid one but does not fix the partition table (partition is still missing), victims have to use dedicated software to reference the partition in the partition table, then root FIXBOOT to recover the lost sector of the Windows Boot Manager."
Click to expand...

http://searchsecurity.techtarget.co...are-behavior-may-change-based-on-AV-installed

hawki · Jul 24, 2017

Minimalist said: ↑

"SLocker Android Ransomware Resurfaces in Undetectable Form"
https://www.infosecurity-magazine.com/news/slocker-android-ransomware/
Click to expand...

"Android’s WannaCry “SLocker” source leaks online

A piece of mobile ransomware that mimics the methods of WannaCry malware has leaked online. The source code for the malicious software has been spilled to the web, allowing this “SLocker” to be downloaded and spread ad infinitum. The source code might also give security experts an easy way to ramp up protection against the malicious code..."

https://www.slashgear.com/androids-...-leaks-online-heres-how-to-avoid-it-24492714/

ronjor · Aug 4, 2017

Now Cerber ransomware wants to steal your Bitcoin wallets and passwords too

By Danny Palmer | August 4, 2017 -- 10:47 GMT (03:47 PDT)
One of the worst forms of ransomware has suddenly become even worse in an effort to make its malicious authors more money.
Click to expand...

itman · Aug 9, 2017

Locky Ransomware Returns with Spam Campaign Pushing Diablo6 Variant

Through a large malspam campaign, Locky is back and currently being heavily distributed worldwide. While Locky was at one point considered the largest distributed ransomware, over time it became much more common to see other ransomware such as Cerber, Spora, and now even GlobeImposter. While it is too soon to tell if this is just another brief surge or an attempt to become a large player again, what we do know is that this particular campaign is strong with a wide distribution.

Locky Diablo6 variant being distributed via Spam Emails
Today, security researcher Racco42 discovered a new Locky malspam campaign that was pushing a new Locky variant that appends the .diablo6 extension. This campaign is being distributed through spam emails that contain subject lines similar to E [date] (random_numer).docx. For example, E 2017-08-09 (69.docx. The message body simply states "Files attached. Thanks".
Click to expand...

https://www.bleepingcomputer.com/ne...s-with-spam-campaign-pushing-diablo6-variant/

itman · Aug 15, 2017

Cerber ransomware using Magnitude EK and binary padding

Cerber ransomware delivering in a Magnitude exploit kit (EK) using an interesting technique, Malwarebyte researchers have discovered.

The Magnitude EK uses its own gate and continues to evolve new tricks and techniques to avoid detection and is notorious for distributing the Cerber ransomware to certain geolocations, such as South Korea. Researchers have noted the EK using Internet Explorer vulnerabilities without needing to use Flash exploits, Malwarebytes Lead Malware Intelligence Analyst Jerome Segura said in an Aug. 9 blog post.

The EK uses a XML configuration to retrieve the Cerber payload and has been seen in the wild before. The EK also uses a binary padding technique in an attempt to bypass certain security scanners.

“Any antivirus scanner that ignores files above a certain size threshold would miss detecting these kinds of binaries,” Segura told SC Media. “A way to circumvent this limitation is to block malware before it gets downloaded or detect its malicious behavior once it has executed.”

The malware is spread via malvertising.
Click to expand...

https://www.scmagazine.com/cerber-s...s-own-gate-and-binary-padding/article/681188/

Minimalist · Aug 15, 2017

Spotlight on ransomware: Ransomware payment methods

Cybercriminals are getting more brazen, demanding bigger and bigger ransoms to decrypt the files they’ve hijacked – and it’s possible we could see demands from cyber criminals grow even more outrageous in years ahead. The average ransom amount increased from $294 in 2015 to a whopping $1,077 in 2016, according to figures collated in a recent internet security report. The malware has also become more diverse, with the number of ransomware families more than tripling (from 30 to 101) between 2015 and 2016.

Ransomware has never been more lucrative, but what exactly is making it so easy for cybercriminals to cash in on unsuspecting users?
Click to expand...

http://blog.emsisoft.com/2017/08/15/ransomware-payment-methods/

Log in or Sign up

Ransomware and Recent Variants

Trooper Registered Member

itman Registered Member

ronjor Global Moderator

ronjor Global Moderator

itman Registered Member

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

ronjor Global Moderator

itman Registered Member

boredog Registered Member

Minimalist Registered Member

guest Guest

itman Registered Member

ronjor Global Moderator

lotuseclat79 Registered Member

Minimalist Registered Member

Minimalist Registered Member

guest Guest

itman Registered Member

hawki Registered Member

ronjor Global Moderator

itman Registered Member

itman Registered Member

Minimalist Registered Member

Log in or Sign up

Ransomware and Recent Variants

Trooper Registered Member

itman Registered Member

ronjor Global Moderator

ronjor Global Moderator

itman Registered Member

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

ronjor Global Moderator

itman Registered Member

boredog Registered Member

Minimalist Registered Member

guest Guest

itman Registered Member

ronjor Global Moderator

lotuseclat79 Registered Member

Minimalist Registered Member

Minimalist Registered Member

guest Guest

itman Registered Member

hawki Registered Member

ronjor Global Moderator

itman Registered Member

itman Registered Member

Minimalist Registered Member

Useful Searches