Search the Community

https://id-ransomware.malwarehunterteam.com/index.php

Petya ransomware victims can now unlock infected computers without paying. An unidentified programmer has produced a tool that exploits shortfalls in the way the malware encrypts a file that allows Windows to start up. In notes put on code-sharing site Github, he said he had produced the key generator to help his father-in-law unlock his Petya-encrypted computer. The malware, which started circulating in large numbers in March, demands a ransom of 0.9 bitcoins (£265). It hid itself in documents attached to emails purporting to come from people looking for work. Security researcher Lawrence Abrams, from the Bleeping Computer news site, said the key generator could unlock a Petya-encrypted computer in seven seconds. But the key generator requires victims to extract some information from specific memory locations on the infected drive. And Mr Abrams said: "Unfortunately, for many victims extracting this data is not an easy task." This would probably involve removing the drive and then connecting it up to another virus-free computer running Windows, he said. Another tool can then extract the data, which can be used on the website set up to help people unlock their computer. Independent security analyst Graham Cluley said there had been other occasions when ransomware makers had "bungled" their encryption system. Cryptolocker, Linux.encoder and one other ransomware variant were all rendered harmless when their scrambling schemes were reverse-engineered. "Of course," said Mr Cluley, "the best thing is to have safety secured backups rather than relying upon ransomware criminals goofing up." SOURCE

A security software firm has warned about a new strain of "ransomware" - while finding that even Russian hackers can be haggled down. Ransomware is software which locks you out of your files until a fee is paid to the criminals behind the attack. Checkpoint researcher Natalia Kolesova detailed information about Troldash, a newly-discovered strain. Once it infects a machine, Troldash provides an email address with which to contact the attackers. "While the most ransom-trojan attackers try to hide themselves and avoid any direct contact," Ms Kolesova explained, "Troldesh's creators provide their victims with an e-mail address. The attackers use this email correspondence to demand a ransom and dictate a payment method." Troldash was distributed via a spam email - and once downloaded, immediately set to work encrypting files before placing a text file of ransom instructions on the target's computer. Posing as a victim named Olga, the researcher contacted the scam artist, and received a reply with instructions to pay 250 euros to get the files back. Suspecting the reply was automated, Ms Kolesova pressed for a more human response, asking more details about how to transfer the money, and pleading with the hacker to not make them pay. Responding in Russian, the scammer offered to accept 12,000 roubles, a discount of around 15%. After Ms Kolesova pleaded further, the email response read: "The best I can do is bargain." Eventually the unknown man or woman was talked into accepting 7,000 roubles - 50% less than the first demand. "Perhaps if I had continued bargaining, I could have gotten an even bigger discount," Ms Kolesova concluded. Ransomware is a particularly vicious problem for many victims around the world. One strain, Cryptolocker, was said to have infected more than 250,000 computers worldwide. Another variant locked users out of their favourite games unless they paid a fee. The company did not pay the ransom - and recommended that up-to-date security software designed to protect against ransomware and other attacks was a better approach. Source

Meet ‘Tox': Ransomware for the Rest of Us ~ https://blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us https://www.virustotal.com/en/file/f1384ff19a870f5aa718486666a14e88873d79eaea5725e3a2097b2d9fd9a320/analysis/1432628218/ hxxp://toxicola7qwv37qj.onion/downloads/ransom_50.00_dol_df410f19157f591860e1633b85dfb50b.scr https://malwr.com/analysis/MWExODFmZjM5YjZlNDQ5ODkxYzBkOTk1ZmMzOTcyYzI/ ThreatExpert Report https://blockchain.info/en/address/1KKGLjfDpVtNXymtTkU3PiiCpkJ532cLko Download Pass: infected Source

Security researchers are warning PC users in Australia to beware of new Breaking Bad-themed ransomware demanding up to $1000 AUD ($796 USD) to decrypt essential computer files. The attacks typically arrive in the form of a malicious zip archive which takes the name of a famous delivery firm as its file name, according to Symantec. The AV giant continued in a blog post: “This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan) which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file. Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.” The ransom demand message that flashes up to victims uses the Los Pollos Hermanos brand, as seen in Breaking Bad – demanding they pay $450 within a specified time or else the charge will rise to $1000. The email provided for “support-related enquiries” also references lead character Walter White’s description of himself in season four as “the one who knocks.” The victim’s images, videos, documents and other important files are encrypted using a random AES key which is in turn encrypted with an RSA public key. This requires them to obtain the corresponding private key from the attackers to effectively get their files back. Also included is a handy video tutorial on how to buy bitcoins – in order to help victims pay the ransom. Symantec said its customers were protected from Trojan.Cryptolocker.S and referred worried netizens to its dedicated blog on ransomware. Cyber-criminals are increasingly turning to ransomware as an easy way to make a fast buck – sometimes with tragic results. In January it was reported that a 17-year-old student from Windsor committed suicide after receiving messages that he’d visited illegal sites and that indecent images had been found on his computer. Source

On May 30, 2014, law enforcement officials from the FBI and Europol seized a series of servers that were being used to help operate the GameOver Zeus botnet, an especially pernicious and troublesome piece of malware. The authorities also began an international manhunt for a Russian man they said was connected to operating the botnet, but the most significant piece of the operation was a side effect: the disruption of the infrastructure used to distribute the CryptoLocker ransomware. The takedown was the result of months of investigation by law enforcement and security researchers, many of whom were collaborating as part of a working group that had come together to dig into CryptoLocker’s inner workings. The cadre of researchers included reverse engineers, mathematicians and botnet experts, and the group quickly discovered that the gang behind CryptoLocker, which emerged in 2013, knew what it was doing. Not only was the crew piggybacking on the GameOver Zeus infections to reach a broader audience, but it also was using a sophisticated domain-generation algorithm to generate fresh command-and-control domains quickly. That kept the CryptoLocker crew ahead of researchers and law enforcement for a time. “The interesting thing is all the opsec involved in this. The architecture thought out with this was really clear. The people working on this really sat down and architected and then engineered something,” said Lance James of Deloitte & Touche, who spoke about the takedown effort at Black Hat last year. “It took a lot more people on our side to hit it harder.” CryptoLocker has become the poster child for a new wave of threats that are designed to relieve victims of their money through the threat of losing all of their files. The malware, like its descendants Cryptowall, Critroni, Crowti and many others, encrypt the contents of victims’ PCs and demands a payment, usually in Bitcoin, in order to get the decryption key. Millions of victims have been hit by these threats in the last couple of years, but putting a number on infections and a dollar value on how much money the crews are making is difficult. However, with ransom payments ranging from less than $100 to as much as $300 or more, the criminals behind these ransomware families are building multimillion dollar businesses on the fear and desperation of their victims. Despite the sudden appearance of CryptoLocker and the other more recent kinds of ransomware, the concept itself is not new. As far back as the late 1980s, early versions of crypto ransomware were showing up and security researchers began looking at the problem by the mid-1990s. By the mid-2000s, more and more crypto ransomware variants were popping up, but it wasn’t until CryptoLocker reared its head in 2013 that the scope and potential damage of the threat came into sharp focus. Victims, researchers and law enforcement soon realized that the game had changed. “Just imagine the scale of how many people are being held for ransom with these threats. It’s mind-boggling,” said Anup Ghosh, CEO of security vendor Invincea, which has done research on ransomware threats. “It’s someone else’s problem until your own personal information gets encrypted and you can’t access your work data and photos. The personal pain is so much more dramatic than any other intrusion.” For all the attention that CryptoLocker and Cryptowall and the other variants have gotten from the media and security researchers, enterprises haven’t yet totally caught on to the severity of the threat. Much of the infection activity by crypto ransomware has targeted consumers thus far, as they’re more likely to pay the ransom to get their data back. But Ghosh said that’s likely to change soon. “It’s not even on their radar. It’s similar to banking Trojans in terms of what IT guys think of it,” Ghosh said. “They treat it as an individual problem and as a reason to slap people on the wrist. ‘Oh, you must have done something bad’.” Ransomware gangs use a variety of methods to infect new victims, including riding shotgun on other malware infections and through drive-by downloads. But perhaps the most common infection method is through spam messages carrying infected attachments. These often look like FedEx shipping notifications or fake invoices. When a user opens the attachment, the malware infects the machine and encrypts the files. But the crypto ransomware gangs don’t operate on their own. They have support systems, developers and other systems in place to help them create their malware and cash out the profits. “CryptoLocker and GameOver Zeus were often installed alongside each other, and now you see these groups improving from there and specializing,” said John Miller, manager, ThreatScape cyber crime, at iSIGHT Partners. “There’s so much momentum behind ransomware operations and the black markets that support it, we expect it to be a problem for the foreseeable future. There are people selling ransomware, customization services for countries and distribution services for getting it onto machines or phones.” How much money is involved? Millions and millions of dollars. In just the first six months of operation, the Cryptowall malware generated more than a million dollars in revenue for its creators, according to research from Dell SecureWorks. That’s one group using one variant of crypto ransomware. And there are dozens, if not hundreds, of other groups running similar operations. Where CryptoLocker innovated with the use of strong encryption and demand for Bitcoin as ransom, other groups have taken the concept and run with it. The Critroni, or CTB-Locker, ransomware not only accepts Bitcoin, but it also uses elliptic curve cryptography and employs the Tor network for command-and-control. The group behind Cryptowall also goes to some lengths to ensure that the ransomware is on the right kind of machine before it runs. “They went through a lot of work to hide the executable in encryption, to check if it’s running in a virtual machine, and the ability to exploit multiple environments,” said Cisco Talos security research engineer Earl Carter. “So much was put into Cryptowall 2.0. Someone went to a lot of work on the front end to avoid detection.” The piles of money and growing complaints from victims has begun to draw the attention of law enforcement, as evidenced by the GameOver Zeus-CryptoLocker takedown and actions against the Reveton ransomware operation. Researchers expect the level of law enforcement interest to grow, especially as ransomware infects more enterprises and the profits for attackers continue to grow. “Now that it’s become apparent how much damage ransomware is causing, law enforcement is paying attention,” Miller said. “It’s gotten their attention in a big way. It’s in their scope. But it hasn’t been targeted very much by takedown activity. A lot of the criminals operating this feel that because what they’re doing is stealing virtual currency from individuals it’s less likely to see law enforcement attention. “The biggest reason this environment will change is sustained law enforcement action.” Source

Another generic ransomware. Blog: Blaze's Security Blog: Yet another ransomware variant Attached: 88039ecb68749ea7d713e4cf9950ffb2947f7683 7e1dd704684f01530307f81bbdc15fe266ffd8db DOWNLOAD Source

The blog post of today is a bit different than usual, as you can read the full post on the Panda Security blog. Read it here: Yet another ransomware variant In this post I'm simply adding some additional information and repeating the most important points. So, there's yet another ransomware variant on the loose. You may call this one Chuingam (chewing gum?) ransomware or Xwin ransomware - pointing to respectively the file with this string 'Chuingam' dropped, or in the latter case the folder on C:\ it creates. Or just another (skiddie) Generic Ransomware. In the blog post above, I discuss the methodology to encrypt files it uses and how it creates your own personal key, as well as the ransom message and how to recover files (if you're lucky & fast enough). pgp.exe (PGP) is used to generate the public RSA key. Since pgp.exe requires the RAR password, this is temporarily stored in the file "filepas.tmp" - which is overwritten and deleted, so no chance to recover this file. As a note; it will (try to) encrypt any and all files with the following extensions: jpg, jpeg, doc, txt, pdf, tif, dbf, eps, psd, cdr, tst, MBD, xml, xls, dwg, mdf, mdb, zip, rar, cdx, docx, wps, rtf, 1CD, 4db, 4dd, adp, ADP, xld, wdb, str, pdm, itdb, pst, ptx, dxg, ppt, pptx If you've been infected with this ransomware, best thing to do is to either restore from a backup or try to restore previous files (also known as shadow copies). For additional information in regards to this specific ransomware, refer to: Yet another ransomware variant For any further background information on ransomware or further prevention & disinfection advice, I refer to my Q&A on ransomware. IOCs Hashes (SHA1) 88039ecb68749ea7d713e4cf9950ffb2947f7683 7e1dd704684f01530307f81bbdc15fe266ffd8db Domains/IPs corplawersp.com 5.63.154.90 Source