Ransomware and Recent Variants

guest · Mar 29, 2018

Mole66 Cryptomix Ransomware Variant Released
March 29, 2018
https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/

Today MalwareHunterTeam discovered a new variant of the Cryptomix Ransomware that appends the .MOLE66 extension to encrypted files, changes the contact email, and slightly changes the ransom note's name. In the past, we used to see new Cryptomix variants a few times a month, but this time it has been almost 2 months since the previous System variant was released.

While the encryption methods stay the same in this variant, there have been some slight differences. The ransom note is has been slightly changed to _HELP_INSTRUCTIONS_.TXT
The next noticeable change is the extension appended to encrypted files. With this version, when a file is encrypted by the ransomware, it will modify the filename and then append the .MOLE66 extension to encrypted file's name.

Unfortunately, at this time the ransomware cannot be decrypted for free.
Click to expand...

guest · Mar 30, 2018

The Week in Ransomware - March 30th 2018 - Mostly Small Variants
March 30, 2018
https://www.bleepingcomputer.com/ne...omware-march-30th-2018-mostly-small-variants/

It was mostly small variants released this week. We did have a new Cryptomix variant released, a wiper called UselessDisk disguised as a ransomware, and a strange report that Boeing had been infected with WannaCry. Overall, though, it has been a slow week.
[...]
Click to expand...

Minimalist · Mar 30, 2018

Systems at a Power Company in India infected by a ransomware

The Uttar Haryana Bijli Vitran Nigam power company in India was hacked last week, attackers breached into its computer systems and stole the billing data of their customers.

The hackers demanded 10 million Rupees to get the data back (roughly $152,000 USD).
Click to expand...

https://securityaffairs.co/wordpress/70836/hacking/power-company-ransomware.html

guest · Apr 3, 2018

Decrypters for Some Versions of Magniber Ransomware Released
April 3, 2018
https://www.bleepingcomputer.com/ne...ome-versions-of-magniber-ransomware-released/

Security researchers from AhnLab, a South Korea-based cyber-security firm, have created decrypters for some versions of the Magniber ransomware.

The decrypters are available for download from AhnLab's website, either from here or here. Usage instructions are included in the first link.
Researchers deliver on their promise
The Magniber ransomware first appeared in mid-October 2017. The ransomware replaced the Cerber ransomware as the primary ransomware payload distributed via the Magnitude exploit kit.

Back in October last year, several security researchers told Bleeping Computer that the ransomware appeared to be decryptable. Now, the AhnLab team has finally managed to find a chink in Magniber's armor.
Click to expand...

Minimalist · Apr 4, 2018

Less Than 30 Percent of IT Security Executives Can Prevent Ransomware Attacks, Survey Reveals

Less than 30 percent of IT security executives who responded to a recent survey reported that they would be able to prevent large-scale ransomware attacks.
Click to expand...

https://securityintelligence.com/ne...an-prevent-ransomware-attacks-survey-reveals/

guest · Apr 5, 2018

The WhiteRose Ransomware Is Decryptable & Tells A Strange Story
April 5, 2018
https://www.bleepingcomputer.com/ne...are-is-decryptable-and-tells-a-strange-story/

A new ransomware has been discovered by MalwareHunterTeam that is based off of the InfiniteTear ransomware family, of which BlackRuby and Zenis are members. When this ransomware infects a computer it will encrypt the files, scramble the filenames, and append the .WHITEROSE extension to them.

It is not currently known for sure how this ransomware is being distributed, but reports indicate it is being manually installed by hacking into Remote Desktop services. Furthermore, based on the submissions to ID-Ransomware, the developer of this ransomware appears to be targeting European countries, with a strong focus on Spain.
The WhiteRose ransom note reads like a poem
Both the BlackRuby Ransomware and now WhiteRose have ransom notes that read more like an assignment from a creative writing course rather than a ransom demand.
[...] This is definitely a step up from BlackRuby's ransom note, which was nonsense. The full text of the ransom note can be found at the end of this article.
Click to expand...

guest · Apr 6, 2018

LockCrypt Ransomware Cracked Due to Bad Crypto
April 6, 2018
https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/

The flaw —explained in a Malwarebytes report here— resides in the fact that the LockCrypt crew decided to roll out a custom encryption scheme instead of using proven systems.

Researchers' efforts were also aided after discovering a LockCrypt sample that was not obfuscated or crypted, allowing investigators access to the ransomware's internal structure in great detail.
LockCrypt ransomware installed after RDP attacks
There was little activity from this ransomware variant because the LockCrypt group didn't mass-distribute their malware via email spam or exploit kits, but they broke into organizations' networks via RDP and manually installed the ransomware on compromised computers.
LockCrypt described as sloppy, unprofessional
" [...] Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated."
Click to expand...

guest · Apr 6, 2018

The Week in Ransomware - April 6th 2018 - Office 365 File Restore & Decryptors
April 6, 2018
https://www.bleepingcomputer.com/ne...-2018-office-365-file-restore-and-decryptors/

This week we saw the release of new decrypters for Magniber, LockCrypt, and WhiteRose. The other big news is that addition of ransomware detection and file restore in Office 365. Otherwise, it has mostly been small variants that were released this week. [...]
Click to expand...

guest · Apr 7, 2018

New Matrix Ransomware Variants Installed Via Hacked Remote Desktop Services
April 7, 2018
https://www.bleepingcomputer.com/ne...installed-via-hacked-remote-desktop-services/

Two new Matrix Ransomware variants were discovered this week by MalwareHunterTeam that are being installed through hacked Remote Desktop services. While both of these variants encrypt your computer's files, one is a bit more advanced with more debugging messages and the use of cipher to wipe free space.
Two different variants being distributed
Currently there are two different Matrix variants being distributed at this time. Both variants are being installed over hacked RDP, encrypt unmapped network shares, display status windows while encrypting, clear shadow volume copies, and encrypt the filenames. [...]
How to protect yourself from the Matrix Ransomware
In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. [...] It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. [...]
Click to expand...

stapp · Apr 9, 2018

PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown's Battlegrounds

In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds.
Click to expand...

https://www.bleepingcomputer.com/ne...les-if-you-play-playerunknowns-battlegrounds/

ronjor · Apr 10, 2018

Ongoing Threat of Ransomware

Original release date: April 09, 2018
NCCIC has observed an increase in ransomware attacks across the world. Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
NCCIC encourages users and administrators to review its Ransomware page and the U.S. Government Interagency Joint Guidance for further information.
Click to expand...

ronjor · Apr 10, 2018

Verizon DBIR: Ransomware Attacks Double for Second Year in a Row

Sara Peters 4/10/2018
After doubling in 2016, the frequency of ransomware attacks doubled again in 2017, according to findings in the latest Verizon Data Breach Investigations Report (DBIR)
Click to expand...

.

guest · Apr 11, 2018

Four out of Five Ransomware Victims Would Pay the Ransom Again
April 11, 2018
https://www.bleepingcomputer.com/ne...ansomware-victims-would-pay-the-ransom-again/

Around four out of five ransomware victims who paid a ransom demand to recover their files said they would pay the ransom again to recover data if no backup files are available.
Most paying victims were able to recover their files
According to the survey's results, respondents reported an increase in ransomware attacks in 2017, compared to similar surveys carried out in previous years.

Of all the infected users, 47% of Asians and Australians, and 41% of Europeans paid the ransom demand in order to recover access to their encrypted files.

Telstra says that 87% of Asians, 86% of Australians, and 82% of Europeans were able to recover their files after paying the ransom.
Most victims would pay the ransom again
Of those who paid the ransom —76% of Asians, 83% of Australins, and 80% of Europeans— said they'd pay the ransom again if they didn't have backup files available.
Click to expand...

Minimalist · Apr 13, 2018

The Week in Ransomware - April 13th 2018 - PUBG Ransomware, Matrix, and More

Not too much new ransomware released this week, but rather just general ransomware news. One item of interest was the joke ransomware called PUBG Ransomware that made you play Player's Unknown Battleground in order to decrypt your files. Other than that, it was just news about new variants that were released or about variations of existing ones.
Click to expand...

https://www.bleepingcomputer.com/ne...il-13th-2018-pubg-ransomware-matrix-and-more/

guest · Apr 19, 2018

Minecraft & CS:GO Ransomware Strive For Media Attention
April 18, 2018
https://www.bleepingcomputer.com/ne...-cs-go-ransomware-strive-for-media-attention/

Discovered by MalwareHunterTeam, neither of these programs actually encrypt any files on the computer. Instead they just display a Window that waits for a particular game related program to launch.
MC Ransomware
The first one is MC Ransomware, which we expect will force a user to play Minecraft in order to decrypt their files if encryption functionality is ever added. MalwareHunterTeam found 11 different samples of this infection, but when I checked them, the differences were minor between the first and latest one where they fixed a bug in the process detection routine.
CSGO Ransomware
The second variant is called CSGO Ransomware and it waits for an executable that contains the string "csgo" to be executed. This program had 7 different variants, with the latest one fixing a bug in the amount of time played being displayed.
Like MC Ransomware, this program does not encrypt anything.
Ransomware is not a joke
Be smart people. Don't create malware for educational and joke purposes. No good can come out of it.
Click to expand...

guest · Apr 20, 2018

RansSIRIA Ransomware Takes Advantage of the Syrian Refugee Crisis
April 19, 2018
https://www.bleepingcomputer.com/ne...takes-advantage-of-the-syrian-refugee-crisis/

A new ransomware called RansSIRIA has been discovered by MalwareHunterTeam that encrypts your files and then states it will donate your ransom payments to Syrian refugees. This ransomware is a variant of the WannaPeace ransomware and is targeting Brazilian victims.

According to MalwareHunterTeam, when executed, the ransomware will display a fake Word window that will take some time opening as it encrypts your files. When done encrypting your files, it will display the screen below, which contains a passionate plea to pay the ransom, which will be used to help Syrian refugees.

The ransomware will also open a variety of images that show how horrible war is and displays a very powerful YouTube video that shows what war does to a child. Wile I know this is an article about a ransomware, the video is well worth watching and the message is very powerful.
If you encounter this infection and your files become encrypted, I strongly advise that you do not make the payment and try to recover your files using other means. If we find a victim, we will also provide further analysis as to whether the files can be decrypted for free.
Click to expand...

guest · Apr 20, 2018

The Week in Ransomware - April 20th 2018 - Reveton Charges, GandCrab, and More
April 20, 2018
https://www.bleepingcomputer.com/ne...-20th-2018-reveton-charges-gandcrab-and-more/

This week was mostly small variants released, but we did have some interesting news. First we had a Microsoft engineer facing federal charges for involvement in the Reveton Ransomware, we then had a decryptor released for Vortex, the Magnitude exploit kit is now pushing GandCrab, and a ransomware is trying to make money off of Syrian Refugees.
[...]
Click to expand...

guest · Apr 26, 2018

Ransomware Hits HPE iLO Remote Management Interfaces
April 25, 2018
https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/

HPE iLO 4, otherwise known as HPE Integrated Lights-Out, is a management processor built into certain HP servers that allow administrators to remotely administer the device. Administrators can connect to the iLO using a web browser or mobile app, where they will be greeted with a login page as shown below.
The HPE iLO 4 Ransomware
Today security researcher M. Shahpasandi posted a screenshot of an HPE iLO 4 login screen that contained a "Security Notice" stating that the computer's hard drives were encrypted and that the owners would have to pay a ransom to get the data back.

An interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim's are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims.
HPE iLO 4 should never be connected directly to the Internet
Exposing a remote administration tool like iLO 4 to the Internet is never a good thing to do. These tools should only be accessible via secure VPNs in order to prevent them from being scanned for and accessed by anyone on the Internet.
Finding connected iLO interfaces is also trivial. A quick search on Shodan shows that over 5,000 iLO 4 devices are connected to the Internet, with many of them being known vulnerable versions.
Click to expand...

guest · Apr 26, 2018

New C# Ransomware Compiles itself at Runtime
April 26, 2018
https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/

A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

Discovered by MalwareHunterTeam, this ransomware contains an encrypted string that is embedded into the dropper as shown below.

As for the ransomware itself, other than it saving the decryption key and IV to a file on the desktop, it is fully functional. Therefore, it wouldn't be surprising to see the ransomware being distributed at some point.
While this ransomware is still in development, it does use an interesting feature that we have not seen in ransomware before. This goes to show how attackers continue to try and think up new ways to bypass security programs that protect your computer.
Click to expand...

itman · Apr 27, 2018

mood said: ↑

New C# Ransomware Compiles itself at Runtime
Click to expand...

This is a variant of MISL/Kryptik. VT detection is 54/64.

guest · Apr 27, 2018

KCW Ransomware Encrypting Web Sites in Pakistan
April 27, 2018
https://www.bleepingcomputer.com/news/security/kcw-ransomware-encrypting-web-sites-in-pakistan/

Team Kerala Cyber Warriors, a hacking group based out of India, have begun to install ransomware on web sites based out of Pakistan. This ransomware, called KCW Ransomware, encrypts the files on a web site and then demands a ransom payment in order to get the files back.

The attack will also leave behind a file name kcwdecrypt.php, which when opened displays a ransom note that claims to have been left by an Anonymous group named the Team Kerala Cyber Warriors.

It is not currently known if there is a particular platform being targeted or how the attackers are gaining access to the sites. Furthermore, it is not known if the group is actually decrypting files if a victim pays the ransom.
Attacks motivated by injustice or politics
The attacks being performed by Team Kerala Cyber Warriors, the Indian hacking group behind the KCW Ransomware, appear to be politically motivated. Based on the posts to their Facebook page, these attacks are being performed due to government injustice and corruption and against sites located in Pakistan.
Click to expand...

guest · Apr 27, 2018

The Week in Ransomware - April 27th 2018 - iLO, KCW, and VevoLocker
April 27, 2018
https://www.bleepingcomputer.com/ne...mware-april-27th-2018-ilo-kcw-and-vevolocker/

This was an interesting week for ransomware with various government servers being infected with VevoLocker, a new ransomware attack again HP iLO remote management interfaces, and the KCW Ransomware targeting web sites in Pakistan.

Otherwise, it was a mix of new variants of existing ransomware infections or new in-dev ransomware that were released.
[...]
Click to expand...

Minimalist · Apr 28, 2018

SamSam Ransomware Evolves Its Tactics Towards Targeting Whole Companies

Ransomware has lately lost its status as the queen of the cybercrime prom, but a new iteration of the nefarious SamSam extortion code shows that it can still make a bid to be sparkly and attention-getting.

The latest version of SamSam has taken the malware road less traveled, ditching widespread spam campaigns for unusually targeted, whole-company attacks. According to an analysis by Sophos, in a reversal of previous tactics, SamSam operators are now launching thousands of copies of the ransomware at once into individual organizations, each of which has been carefully selected.
Click to expand...

https://threatpost.com/samsam-ransomware-evolves-its-tactics-towards-targeting-whole-companies

guest · May 4, 2018

Are Bad Guys Swapping TeamViewer For AnyDesk to install Blackheart Ransomware?
May 3, 2018
https://blog.knowbe4.com/are-bad-gu...-for-anydesk-to-install-blackheart-ransomware

According to Trend Micro researchers a new ransomware strain called Blackheart drops its payload alongside the perfectly legitimate AnyDesk remote desktop tool, highly likely as a way to evade detection.

Trend Micro researchers are guessing that cyber offenders are likely testing with AnyDesk as an alternative to TeamViewer, a similar tool that has previously been abused by ransomware.

In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.

Trend Micro researchers speculate that cyber offenders may be experimenting with AnyDesk as an alternative to TeamViewer, a similar tool that has previously been abused by ransomware -- although in that case, it was confirmed that TeamViewer connections were actually used to install the malicious code.
Trend Micro reports that AnyDesk "has acknowledged the existence of the ransomware, and has stated that they will be discussing possible steps they can take."
Click to expand...

Minimalist · May 8, 2018

Despite Last Year’s Surge, Ransomware Attacks on the Decline in 2018

Although major, widespread campaigns such as WannaCry drove a 415 percent increase in ransomware attacks last year, recent research revealed that the threat vector is fading in 2018.

F-Secure’s “The Changing State of Ransomware” report found that the lack of big paydays for even the most headline-worthy campaigns has led to a gradual decline in these types of attacks. Users recognize that even paying up doesn’t guarantee the safe return of data.
Click to expand...

https://securityintelligence.com/ne...news-in-2017-drives-415-percent-attack-boost/

Log in or Sign up

Ransomware and Recent Variants

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

stapp Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

itman Registered Member

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Minimalist Registered Member

Log in or Sign up

Ransomware and Recent Variants

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

stapp Global Moderator

ronjor Global Moderator

ronjor Global Moderator

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

itman Registered Member

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

Minimalist Registered Member

Useful Searches