Search the Community
Showing results for tags 'variant'.
Found 2 results
Gamers may soon be feeling the pain of crypto-ransomware. A variant of CryptoLocker is in the wild that goes after data files associated with 20 different online games, locking downloadable content in an attempt to target younger computer users. Researchers at Bromium today said an unnamed compromised website is serving the malware. Victims are redirected by a Flash exploit to a site hosting the Angler exploit kit, and Angler drops the CryptoLocker variant. “The website is based on WordPress and could have been compromised by any one of the numerous WP exploits,” wrote Vadim Kotov in an advisory for Bromium. “Additionally, the URL where the malicious Flash file is hosted keeps changing.” Kotov said the attackers forgo typical iframe redirects and instead use a Flash file wrapped in an invisible div tag, likely in an attempt to evade detection. The malware proceeds through a number of checks for the presence of virtual machines or antivirus before dropping a Flash exploit for CVE-2015-0311 or an Internet Explorer exploit CVE-2013-2551. The malware behaves like a typical CryptoLocker infection, presenting the victim with a banner explaining that files have been encrypted, and a ransom must be paid with Bitcoin in order for a decryption key to be sent to the victim. There are also instructions to make payments over Tor if the decryption site is not working. More than 50 file extensions associated with video games are targeted by this variant, in addition to images, documents, iTunes files and more. A number of popular single-player games including Call of Duty, Minecraft, Half Life 2, Elder Scrolls, Skyrim, Assassin’s Creed and others are affected, as are online games such as World of Warcraft, Day Z and League of Legends, as well as a number of EA Sports, Valve and Bethesda games. Steam gaming software is also in the crosshairs, Bromium said. “Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,” Kotov wrote. “Non gamers are also likely to be frustrated by these attacks if they lose their their personal data.” Some of the files the variant goes after are often impossible to restore; those include user profile data, saved games, in-game maps and mods, Kotov wrote. The Bromium advisory goes into more detail about command and control communication and encryption mechanisms. The experts advise gamers to back up their files on an external hard drive that is not connected to the Internet. “As more file categories are infected, a broader audience is affected,” Kotov said. “The attackers are also getting better at incorporating BitCoin code directly into their projects, which isn’t a good sign.” Source
The blog post of today is a bit different than usual, as you can read the full post on the Panda Security blog. Read it here: Yet another ransomware variant In this post I'm simply adding some additional information and repeating the most important points. So, there's yet another ransomware variant on the loose. You may call this one Chuingam (chewing gum?) ransomware or Xwin ransomware - pointing to respectively the file with this string 'Chuingam' dropped, or in the latter case the folder on C:\ it creates. Or just another (skiddie) Generic Ransomware. In the blog post above, I discuss the methodology to encrypt files it uses and how it creates your own personal key, as well as the ransom message and how to recover files (if you're lucky & fast enough). pgp.exe (PGP) is used to generate the public RSA key. Since pgp.exe requires the RAR password, this is temporarily stored in the file "filepas.tmp" - which is overwritten and deleted, so no chance to recover this file. As a note; it will (try to) encrypt any and all files with the following extensions: jpg, jpeg, doc, txt, pdf, tif, dbf, eps, psd, cdr, tst, MBD, xml, xls, dwg, mdf, mdb, zip, rar, cdx, docx, wps, rtf, 1CD, 4db, 4dd, adp, ADP, xld, wdb, str, pdm, itdb, pst, ptx, dxg, ppt, pptx If you've been infected with this ransomware, best thing to do is to either restore from a backup or try to restore previous files (also known as shadow copies). For additional information in regards to this specific ransomware, refer to: Yet another ransomware variant For any further background information on ransomware or further prevention & disinfection advice, I refer to my Q&A on ransomware. IOCs Hashes (SHA1) 88039ecb68749ea7d713e4cf9950ffb2947f7683 7e1dd704684f01530307f81bbdc15fe266ffd8db Domains/IPs corplawersp.com 18.104.22.168 Source