Ransomware

RANSOMWARE

For those who torrent, be careful. If you torrent on a Mac, be very careful.  For the second time, ransomware has been designed for the Mac OS.In this case, “Patcher” or Filecoder OSX is poor quality, shoddy code, to the extent that if the victim pays the ransom, they don’t get their files back because that code doesn’t work. It’s getting dropped via fake Adobe Premier Pro and Microsoft Office for Mac.  https://www.helpnetsecurity.com/2017/02/23/macos-ransomware-filecoder/

Second, if Google is telling you “Hoefler test not found”, don’t think you need to install that font. It’s a ploy on certain compromised websites to drop Spora ransomware. And very few AV or anti-malware programs can detect this one.

spora.JPG But, if you play it safe and do as Google says, click Discard and don’t download.  You’ll avoid ransomware. http://www.scoop.it/t/geopolitical-intelligence/p/4075736266/2017/02/23/fake-chrome-font-pack-update-alerts-infecting-visitors-with-spora-ransomware-via-bleepincomputer1?utm_medium=social&utm_source=twitter

SOS! TOOLS TO HELP: Nomoreransome was set up to help anyone in need. They may have the decryption you are looking for. Check the site. Right now they offer Crysis, Marsjoke/Polyglot, Wildfire, Chimera, Coinvault, Teslacrypt, Shade, Rhannoh, Rakhni
http://www.nomoreransome.org/

Locky Ransomware – Awaken the Kraken? (January 23, 2017):  2016 started with a ransomware bang and ended with a botnet boom. The pairing of ransomware and botnets should make anyone nervous. And the minds at Cisco are warning that we should expect a massive spam campaign with a return of the near-dormant Locky ransomware.   Locky was spread via the Necrus botnet, which had 500K devices under its control to deliver spam, which contained the unbreakable Locky payload. Researchers are seeing a subtle increase in attacks via Necrus and Locky this month. It is possible attackers are exercising caution rather than risk getting caught.  I say batten down those hatches.  http://www.theregister.co.uk/2017/01/20/locky_ransomware_horrorshow_returns/

Satan Ransomware as a Service (January 20, 2017): This marks a continuing trend in the ongoing evolution of ransomware. Given how lucrative it is, and the increasing range of attack venues, simplifying this as an attack was a natural next step. Would-be attackers can find Satan ransomware as a service on the Darkweb. For 30% of the take, those who sign up can profit from those who have gone before them to craft the code and then make it available with customizable options on amount, delivery etc. Unfortunately, this ransomware does not have any decryptors currently available, so unless your files are backed up, consider them gone or pay the price (but not literally please).  http://www.zdnet.com/article/satan-ransomware-as-a-service-starts-trading-in-the-dark-web/

RIG Exploit Kit delivering Cerber Ransomware (January 18, 2017): Exploit kits keep evolving along with the nasty packages they deliver. In this case, RIG has been updated to carry a payload of Cerber ransomware. Per Heimdal Security, there has been a spike in attacks using this exploit kit. They also noted Neutrino exploit kit was as popular as ever. Advice: keep patches and updates current. The vulnerability is exploited in outdated ones. The current tactic is using drive-by attacks via malicious domains. Malicious scripts are injected into insecure systems, like Flash, Silverlight, IE, and Edge.  http://www.cyberdefensemagazine.com/new-campaign-leverages-rig-exploit-kit-to-deliver-the-cerber-ransomware/?platform=hootsuite

rig

When Ransomware Takes A Holiday (January 16, 2017): An interesting trend is being observed with regard to certain groups of malware, and ransomware. Case in point is Locky. The virulent strain took a couple of noted breaks, or ”went quiet” last year, In June and in October.  Over the last three weeks, attacks have almost stopped. Now, ransomware has made an interesting pivot into attacking Mongo databases.  This could likely be the lull before that storm, as an new exploit kit is being developed to deliver the lucrative payload cybercriminals are literally banking on.

POWER TOOL!  Ransomware Chronology by David Balaban
“This is a comprehensive report on ransomware-related events covering a time frame of May – December 2016. The incidents herein are visually broken down into categories, including new ransomware, updates of existing strains, decryptors released, and other noteworthy news.”
http://privacy-pc.com/articles/ransomware-chronicle.html

Dec 30 Killdisk Wiper Malware evolves into Ransomware
Knew this was coming. Because really, how do you make a bad thing even worse? And this is what a pivot in evolution looks like. Expect more and expect worse. Shields up and brace for impact. We’re not ready.
https://www.tripwire.com/state-of-security/latest-security-news/killdisk-wiper-malware-evolves-ransomware/

Oct 8 TeamXRat Spreads Ransomware Via RDP Brute-Force Attacks
Kaspersky researchers have found a new ransomware variant being spread in Brazil (remember an earlier post about how we need to watch that as a key source for banking malware). The criminal use stolen or weak remote desktop creds to access systems and deliver ransomware. Using RDP or remote desktop access isn’t new. In 2015 LowLevel04 was spread via RDP. This newest variant in Brazil, Trojan-Ransom.Win32.Xpan, has targeted hospitals and businesses. Brute forcing remote desktop servers directly connected to the internet is not hard for the criminals to do, and they exploit existing vulnerabilities MS15-067 and MS15-030 in the RDP protocol. Use RDP with caution.
http://securityaffairs.co/wordpress/51840/cyber-crime/teamxrat-rdp-ransomware.html

Ransoc Ransomware: This new variant doesn’t lock down your files, but rather opens your personal details up. It targets Windows computers via a browser locker being distributed malvertising.  It scrapes SKYPE and social media profiles from Facebook, LinkedIn etc for personal items; it also looks for torrent files and other content that could be dubious. The malware uses this to point to “illegal” activity and posts a ransom note on the user’s screen. The threat performs an IP check and sends all traffic through Tor. Warning:  If you have downloaded media files through TOR, expect to get ransomed. http://www.securityweek.com/ransoc-ransomware-blackmails-victims

CrySis Ransomware Decryption Keys released to public:  A little good news. Kaspersky lab confirmed that master decryption keys for this ransomware family have been released, giving some folks hope of getting their files back. According to Lawrence Abrams of Bleeping Computer, “it could have been the ransomware developer who posted the key on the site’s CrySis support forum page; the post included a Pastebin link to a header file written in C that contains the master decryption keys and instructions on how to use them.”
https://threatpost.com/crysis-ransomware-master-decryption-keys-released/121942/

W