Ransomware and Recent Variants

Discussion in 'malware problems & news' started by ronjor, Mar 31, 2016.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,516
    Location:
    Slovenia
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,516
    Location:
    Slovenia
    http://securityaffairs.co/wordpress/62191/malware/synccrypt-ransomware.html
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    http://blog.trendmicro.com/trendlab...miner-uses-wmi-eternalblue-spread-filelessly/
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,516
    Location:
    Slovenia
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,516
    Location:
    Slovenia
    https://threatpost.com/defray-ransomware-seen-targeting-education-healthcare-industry
     
  6. Calin Ghibu

    Calin Ghibu Registered Member

    Joined:
    Aug 28, 2017
    Posts:
    1
    Location:
    Cluj-Napoca
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    Bit Paymer Ransomware Hits Scottish Hospitals
    https://www.bleepingcomputer.com/news/security/bit-paymer-ransomware-hits-scottish-hospitals/

    Another article: https://www.infosecurity-magazine.com/news/nhs-lanarkshire-cancels-ops/
     
    Last edited: Aug 29, 2017
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    New Nuclear BTCWare Ransomware Released
    https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released/
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,516
    Location:
    Slovenia
    https://www.forbes.com/sites/leemat...ttack-unleashes-23-million-emails-in-24-hours
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    Note: This is a different attack from the above noted Locky ransomware one.
    https://www.infosecurity-magazine.com/news/crypto-ransomware-targets-20/
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    https://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-downloader/127767/
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    Massive Wave of MongoDB Ransom Attacks Makes 26,000 New Victims
    https://www.bleepingcomputer.com/ne...godb-ransom-attacks-makes-26-000-new-victims/
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,201
    Location:
    DC Metro Area
    "Ransomware hack targeting 2 million an hour

    A ransomware attack sweeping the globe right now is launching about 8,000 different versions of the virus script at Barracuda's customers, Eugene Weiss, lead platform architect at Barracuda, told Axios, and it's hitting at a steady rate of about 2 million attacks per hour...

    ...'What's remarkable about this one is just the sheer volume of it.'

    Automated hacking: "Nobody actually sat there and made 8,000 digital modifications," Weiss said. The way they do it is by using a kit that essentially automates code variations...

    The targets: Email addresses at businesses or institutional groups in the U.S. or Canada..."

    https://www.axios.com/ransomware-hack-targeting-2-million-an-hour-2487583502.html
     
  14. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,710
    Was just about to post this. Thanks @hawki
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    It's called "polymorphic" malware. A security product with good generic signature capability is capable of handling this.
     
  16. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,201
    Location:
    DC Metro Area
    "New malicious malware demands nude photographs instead of Bitcoin

    Security researchers have discovered a new ransomware dubbed nRansomware that encrypts a victim's files and demands nude photographs instead of Bitcoin in exchange for a decryption key. Ransomware is a particularly nasty type of malicious software used to extort money from victims..."

    http://www.ibtimes.co.uk/what-nrans...ands-nude-photographs-instead-bitcoin-1640394

    00
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,516
    Location:
    Slovenia
    I don't think that extortionists would be happy when they would receive my nude photos :)
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    +1 :D:eek::thumb:
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    This most likely is the attack Barracuda detected and referenced previously w/o any detail.

    Multiple Spam Waves Detected Pushing New Locky Ransomware Version

    https://www.bleepingcomputer.com/ne...etected-pushing-new-locky-ransomware-version/
     
  20. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    9,303
    Location:
    England
  21. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,201
    Location:
    DC Metro Area
    "Ransomware or Wiper? RedBoot Encrypts Files but also Modifies Partition Table

    A new bootlocker ransomware was discovered by Malware Blocker called RedBoot that when executed will encrypt files on the computer, replace the MBR, or Master Boot Record, of the system drive and then then modifies the partition table in some manner.

    As the ransomware does not provide a way to input a key to restore the MBR and partition table, unless the ransomware developer has a bootable decryptor this malware may be wiper...

    ...in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it.

    Is it a buggy ransomware or a wiper?

    While this ransomware does perform standard user mode encryption, the modifying of the partition table and no way of inputting a key to recover it, may indicate that this is a wiper disguised as a ransomware. Then again, since the developer used a scripting language like AutoIT to develop this ransomware, it could very well be just a buggy and poorly coded ransomware..."

    https://www.bleepingcomputer.com/ne...ypts-files-but-also-modifies-partition-table/
     
  22. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,201
    Location:
    DC Metro Area
    "nRansom Joke Locker Demands Nude Pics as Payment...

    This malware is clearly a joke with its use of a Thomas & Friends picture, a demand that states that they are going to sell your nudes on underground sites after you send them, and the looping of the Curb Your Enthusiasm TV show music. My guess, is that this malware was created by someone to troll their friends with a silly little infection that is easily removed...

    This locker is very buggy, clearly not meant for distribution, and does not work correctly...

    The only way to terminate it is to manually minimize the screen and just end the nRansom.exe process..."

    https://www.bleepingcomputer.com/news/security/nransom-joke-locker-demands-nude-pics-as-payment-/
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    Kangaroo Ransomware uses unique technique to infect and cover tracks
    https://www.scmagazine.com/kangaroo...bfuscation-and-unique-tactics/article/697709/
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,476
    Location:
    U.S.A.
    FYI

    I am seeing a "rash" of DDoS attacks against corp servers directed at remote connections, primarily RDP ports, to deliver ransomware. Conventional routers and AV solutions cannot handle this type of attack. So even SMB's might want to look into:
    https://en.wikipedia.org/wiki/DDoS_mitigation
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,516
    Location:
    Slovenia
    https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/
     
Loading...