Ransomware Can Infect Android Devices Without Any User Interaction http://news.softpedia.com/news/rans...ces-without-any-user-interaction-503394.shtml
New Decryptor Unlocks CryptXXX Ransomware https://threatpost.com/new-decryptor-unlocks-cryptxxx-ransomware
Researchers Find Three New Ransomware Strains: CryptFlle2, BrLock and MM Locker http://news.softpedia.com/news/rese...-cryptflle2-brlock-and-mm-locker-503515.shtml
Regsvr32 can be used to install Ransomware through Jscript Installers http://www.bleepingcomputer.com/new...nstall-ransomware-through-jscript-installers/ Of interest is Larry's mitigation recommendation is the same one I previously recommended for the AppLocker bypass in the "now locked Classical HIPS thread."
Would disabling script host also prevent scripts from running? https://technet.microsoft.com/en-us/library/ee198684.aspx
A Chinese researcher has published a detailed analysis of the COM elements along with an improved technique for implementing the backdoor component here: http://en.wooyun.io/2016/04/23/Use_SCT_to_Bypass_Application_Whitelisting_Protection.html . The script execution on the local machine is only used to register the COM components. Thereafter it is COM that is running the scripts from the remote machine: 1. In Extensible Markup Language (XML) files, a COM object ended with sct can be created through scripting languages (VBScript or JScript) scrobj.dll: 2. It is used to send the COM request to Script Component. Execute the Regsvr32 command to register COM components: Execute this with administrator permission: regsvr32 /i:"Component.sct" scrobj.dll 3. Use vbs to call the registered COM components TestVB.vbs: Dim ref Set ref = CreateObject("Component.InsideCOM") MsgBox ref.Sum(4, 6) 4、Complementary As aforementioned, VBS can be used to call the recently registered COM component "Component.InsideCOM", which can also be implemented through Jscript. (1) the Jscript implementation ComponentJS.sct:(https://github.com/subTee/SCTPersistence/blob/master/ComponentJS.sct) TestJS.js var ref = new ActiveXObject("Component.InsideCOMJS"); var x = ref.Sum(4,6); WScript.Echo(x);
OK, from that I still don't know if disabled script hosts would break technique. It's nice to see that outbound firewall control could stop the attack.
I also believe that a true malware version employing this technique would be using a "disguised" version of regsvr32.exe. So use of a firewall that monitors all new outbound connections is essential.
Locky Ransomware Spreads via Flash and Windows Kernel Exploits http://blog.trendmicro.com/trendlab...omware-spreads-flash-windows-kernel-exploits/
TrueCrypter Ransomware Dev Leaves Flaw in Code That Lets Victims Decrypt Files http://news.softpedia.com/news/true...-that-lets-victims-decrypt-files-503537.shtml
Decrypter for Alpha Ransomware Lets Victims Recover Files for Free http://news.softpedia.com/news/decr...s-victims-recover-files-for-free-503581.shtml
Can Ransomware encrypt unallocated space (eg: RAW with no file structure)? One example would be... HDD - 100mb System Reserved - 1 gb RAW unallocated - C drive - 1 gb RAW unallocated - D drive What I am essentially asking is, does a file system structure need to be present before Ransomware can encrypt, or is it impartial and just sees a hard drive?
New CryptMix Ransomware Promises to Give Money to a Children's Charity http://news.softpedia.com/news/new-...ve-money-to-a-children-s-charity-503688.shtml
On The Monetization Of Crypto-Ransomware https://labsblog.f-secure.com/2016/05/06/on-the-monetization-of-crypto-ransomware/
Criminals peddling affordable Alphalocker ransomware https://threatpost.com/criminals-peddling-affordable-alphalocker-ransomware
Ransomeware for the hacker and wan-a-bee masses. I can just see my spam e-mail quadrupling in size .................
Yep, today at work I got few of them (don't know if it was Alpha... or some other variant). Didn't get them for past few weeks so it looks like my spammers switched from usual spam mail to ransomware
Also Alphalocker has already been cracked so the wan-a-bees should have spent that $65 on Powerball tickets. http://news.softpedia.com/news/alph...fessional-ransomware-kit-to-date-503776.shtml
I hope that this is an appropriate thread to share this. Root Access Podcast - Episode 3 - Ransomware Link: https://rootaccesspodcast.com/#ep-3-ransomware Hosted by Josh Pyorre of OpenDNS / Cisco. It's been a pretty decent podcast thus far and they link to related material with each episode for further details.
I too hope that this is the appropriate thread for this. This is probably mostly of interest for Dutch users. KPN spam results in CTB-Locker infection https://blog.malwarebytes.org/cybercrime/2016/05/kpn-spam-results-in-ctb-locker-infection/ Dutch site Security.nl : Nepmail KPN bevat CTB-Locker-ransomware https://www.security.nl/posting/470264/Nepmail KPN bevat CTB-Locker-ransomware PS: KPN is a big Dutch telecom company. Thanks Pieter!
CryptXXX Is Now Undecryptable, Prevents Users from Accessing Their PC http://news.softpedia.com/news/cryp...ts-users-from-accessing-their-pc-503884.shtml
