- Ransomware -

Last update 28.09.2017 14:37:07

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 



NHS is still assessing the cost of WannaCry one year later
14.10.2018 securityaffairs
Ransomware

The UK’s Department of Health and Social Care provided an update on the efforts to secure the NHS IT infrastructure, with a focus on WannaCry overall costs.
The UK’s Department of Health and Social Care provided an update on the spent to secure the IT infrastructure in a report titled “Securing cyber resilience in
health and care“. One year later the massive WannaCry ransomware attack the NHS is still facing problems caused by the infections.

NHS WannaCrypt ransomware

WannaCry cost the NHS £92m, giving a look at the expense details we can observe item of £19m for lost output and an estimate of £73m of IT cost to fix affected assets.

According to the report, the attack directly impacted over 19,000 patients whose appointments were canceled due to the attack.

The estimate in the report considers the financial costs in two time periods:

during the attack between 12 and 18 May 2017;
during the recovery period in the immediate aftermath to June-July 2017;
The analysis focus on two categories of cost are:

Direct impact – lost output of patient care caused by reduced access to information and systems required for care leading to cancelled appointments etc.
Additional IT support provided by NHS organisations or IT consultants to restore data and systems affected by the attack.
“The WannaCry attack disrupted services across one-third of hospital trusts and around 8% of GP practices. This had a knock-on impact on patients with over 19,000 appointments cancelled.” reads the report.

“While this may only be a small proportion of overall NHS activity, it represents disruption to the care of a significant number of patients.”

The attack highlighted the inefficiency of the antiquated NHS IT systems, Microsoft was charged to update the entire infrastructure with a three-year deal of £150m deal.

The report includes a case study related a “large NHS mental health trust” that was protected with Advanced Threat Protection that allowed to repeal a phishing email attack with a weaponized excel spreadsheet attachment.

IBM was also hired by the NHS to deliver the new Cyber Security Operations Centre (CSOC) aimed at increasing the capability to monitor, detect and respond to
a variety of security risks and threats across the organization.

NHS signed a three-year strategic partnership with IBM (£30m) to improve NHS Digital’s Cyber Security Operations Centre (CSOC)

The goal is the compliance with the Cyber Essentials Plus standard in June 2021, as recommended in February’s lessons-learned report.

Currently, only 10 sites will “aim” to reach this goal next March.


Exaramel Malware Links Industroyer ICS malware and NotPetya wiper
12.10.2018 securityaffairs
Ransomware

ESET researchers have spotted a new strain of malware tracked as Exaramel that links the dreaded not Petya wiper to the Industroyer ICS malware.
A few months ago, researchers from ESET discovered a new piece of malware that further demonstrates the existence of a link between Industroyer and the NotPetya wiper.

In June 2017, researchers at antivirus firm ESET discovered a new strain of malware, dubbed Industroyer, that was designed to target power grids.

Industroyer was involved in the December 2016 attack aimed at an electrical substation in Ukraine that caused significant power outages.

Industroyer is the fourth malware specifically designed to target ICS systems, threats previously discovered by security experts are Stuxnet, BlackEnergy, and Havex.

Now experts found a link between the 2016 Industroyer attack and Russia-linked APT groups tracked as BlackEnergy, TeleBots, Sandworm, and Electrum.

“That said, we have observed and documented ties between the BlackEnergy attacks – not only those against the Ukrainian power grid but against various sectors and high-value targets – and a series of campaigns (mostly) against the Ukrainian financial sector by the TeleBots group.” reads the analysis published by ESET.

“In June 2017, when many large corporations worldwide were hit by the Diskcoder.C ransomware (aka Petya and NotPetya) – most probably as unintended collateral damage – we discovered that the outbreak started spreading from companies afflicted with a TeleBots backdoor, resulting from the compromise of the popular financial software M.E.Doc.”

Telebots Industroyer Exaramel

The NotPetya Wiper was linked by experts to BlackEnergy and the KillDisk malware that was used the 2015 attack in Ukraine.

In April 2018, ESET discovered a new backdoor tracked as Exaramel that definitively links Industroyer to TeleBots.

Researchers noticed that the configuration data in XML format written by the dropper of Exaramel in the Windows registry includes the security solution used on the compromised system, something similar with Industroyer.

“the attackers are grouping their targets based on the security solutions in use. Similar behavior can be found in the Industroyer toolset – specifically some of the Industroyer backdoors were also disguised as an AV-related service (deployed under the name avtask.exe) and used the same grouping.” continues the analysis.

Experts also found many similarities in the code used for the implementation of the commands in the Exaramel malware and a backdoor from the Industroyer toolset.

Both malware relies on a report file for storing the result output of executed shell commands and launched processes.

The main difference between the backdoor from the Industroyer toolset and the Exaramel backdoor is that the latter uses XML format for communication and configuration instead of a custom binary format.

“Along with the Exaramel backdoor, Telebots group uses some of their old tools, including a password stealer (internally referred as CredRaptor or PAI by the attackers) and a slightly-modified Mimikatz.” continues the analysis.

“The CredRaptor custom password-stealer tool, exclusively used by this group since 2016, has been slightly improved. Unlike previous versions, it collects saved passwords not only from browsers, but also from Outlook and many FTP clients.”

ESET observed only one attack based on the Exaramel that targeted an organization in Ukraine, experts also discovered a Linux backdoor, racked as Linux/Exaramel.A.

“The discovery of Exaramel shows that the TeleBots group is still active in 2018 and the attackers keep improving their tools and tactics.” concludes ESET.

“The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags – or a coincidental code sharing by another threat actor – should always be kept in mind when attempting attribution, in this case we consider it unlikely.”


Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?
4.10.2018 securityaffairs
Ransomware

The Canadian restaurant chain Recipe Unlimited that operates over 20 restaurant brands has suffered a major IT outage over the weekend in a “malware outbreak.”
The company operates nearly 1,400 restaurants under 19 different brands in Canada,

Recipe Unlimited has suffered a major malware-based attack that impacted several of its brands.

On Monday the company Monday confirmed that a malware is the root cause of a partial network outage at nine of its franchises, including Swiss Chalet, Harvey’s, East Side Mario’s, and Kelseys.

Recipe discovered the malware outbreak on September 28 and immediately started the incident response procedure. A number of systems have been taken offline, and all the locations infected by the ransomware were isolated from the Internet.

The affected locations continued to process card transactions manually,

The infections have caused the closure of a “small number” of restaurants for a “temporary period of time.”

“A limited number of Recipe Unlimited restaurants are currently experiencing a partial network outage. Only certain restaurants under the Swiss Chalet, Harvey’s, Milestones, Kelseys, Montana’s, Bier Markt, East Side Mario’s, The Landing Group of Restaurants and Prime Pubs brands have been impacted.” reads a statement published by the company.

“We learned of the malware outbreak on Friday, September 28 and immediately initiated steps to prevent any further spread and take appropriate precautionary measures. As a result, we have taken a number of our systems offline and suspended internet access to affected locations as a precaution. This caused some of our restaurants to experience some service delay related issues, including being unable to process credit and debit card transactions. However, all of those restaurants are able to manually process credit card charges. A smaller number of affected restaurants have decided to close for a temporary period of time to avoid inconvenience to guests due to service issues.”

According to the CBC News, the Recipe was the victim of a ransomware attack, the media also shared a copy of a ransom note that was provided by a worker at one of the affected restaurants.

“All of our computer systems crashed,” said a worker on shift at the time at an affected location. “The ransom note appeared under the file, ‘read me‘ in a WordPad format. We were all really in a state of shock.”

The hackers claim that they encrypted the files using “the strongest military algorithms,” at the time there is no info related to an amount of bitcoin requested to the victims.

The amount requested by the crooks will increase with the time.

“The final price depends on how fast you write to us,” warns the ransom note. “Every day of delay will cost you additional +0.5 BTC.”

Recipe Unlimited denies it was victim of a ransomware attac, because it conducts regular system backups to promptly mitigate such kind of attacks.

“We maintain appropriate system and data security measures,” said spokesperson Maureen Hart in an email.

Canadian restaurant chain Recipe

According to Hart, the ransom note published online is a “generic” statement associated with a virus called Ryuk, and other copies of the note can be found via a Google search.

The ransom note is associated with Ryuk ransomware, a threat discovered by security experts at Check Point in August. At the time, the ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor.

The campaign appears as targeted and well-planned, crooks targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.


Z-LAB Report – Analyzing the GandCrab v5 ransomware
3.10.2018 securityaffairs
Ransomware

Experts at the Cybaze Z-Lab have analyzed the latest iteration of the infamous GandCrab ransomware, version 5.0.
Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users. GandCrab operates like a classic ransomware, it encrypts all user files and drops some ransom notes on the infected machine.

The ransomware uses a pseudo-randomic extension (5 characters long), that is different for each infection (some of these extensions are: .txvpq, .rttmc, .mcbot, etc…).

The ransom note contains some information related to the infection: an ID (“fed0a66240f8743f”, in the image below), a “GANDCRAB KEY”, required to restore the original files, and some encrypted information about the infected system such as the username, the PC name, the domain, the operative system and the language.

GandCrab 5

Unlike GandCrab v4, this version is able to kill some processes associated with some popular applications (i.e. Word, Excel, SQLServer etc.) to allow the code to encrypt the files opened by these applications.

GandCrab 5

The payment process is implemented through the hidden service associated with the Tor address:

hxxp://gandcrabmfe6mnef[.]onion, which is the same used by previous versions of the malware.

Technical details, including IoCs and Yara Rules, are reported in the analysis shared by researchers at the ZLab.


Port of San Diego Hit by Ransomware
28.9.2018 securityweek
Ransomware

The Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) were called in by the Port of San Diego in California after some of the organization’s IT systems became infected with a piece of ransomware.

The Port of San Diego issued its first statement on the cybersecurity incident, which it described as “serious,” on September 26, one day after it started receiving reports of disruption to IT systems.

Port of San Diego hit by ransomware

In a follow-up statement released on September 27, the port clarified that some systems were compromised as a result of the attack and others were shut down as a precautionary measure. However, the organization pointed out that it was mainly an administrative issue that did not impact normal port operations.Port of San Diego hit by ransomware

“The Port remains open, public safety operations are ongoing, and ships and boats continue to access the Bay without impacts from the cybersecurity incident,” the port’s CEO Randa Coniglio stated. “The temporary impacts on service to the public are in the areas of park permits, public records requests, and business services.”

The Port of San Diego said it had received a ransom note that requested payment in bitcoin, but the amount was not disclosed and no other details have been provided.

“We will certainly see more incidents like this impacting entire organizations or even cities,” Ilia Kolochenko, CEO of web security firm High-Tech Bridge, said via email. “Lack of continuous monitoring and patch management is a widespread cause for vulnerable systems that can be easily hacked with a public exploit. Moreover, the situation is seriously exacerbated by industrial systems, some of which are still running Windows XP but are connected to production networks and the Internet. Some of these systems are so critical for business that nobody dares touch them. All this inevitably creates an explosive cocktail that may paralyze organizations and cities for weeks.”

The Port of Barcelona also reported being hit by a cyberattack this month, but it’s unclear if the incidents are related. The Spanish port has not shared any information about the type of attack, but also claimed that the incident only affected internal systems, with no impact on land or seaside operations.

The Port of Barcelona says it has “initiated the appropriate legal actions in retaliation to this serious attack.”

Port of Barcelona reports cyberattack

Experts have often warned about the cyber threats faced by the maritime industry and the vulnerabilities that expose organizations to attacks. However, while some scenarios are only theoretical, threat actors have been known to target shipping companies, including with ransomware.

Chinese shipping and logistics giant COSCO reported in July that a piece of ransomware had disrupted some of its systems in the United States.

Danish shipping giant A.P. Moller–Maersk was one of the many high profile victims of last year’s NotPetya campaign, which caused losses of hundreds of millions of dollars for several major companies. On the surface NotPetya behaved like a piece of ransomware, but it later turned out to be a wiper designed to cause significant damage.


New Virobot Ransomware and Botnet Emerges
24.9.2018 securityweek
Ransomware

A newly discovered piece of malware combines ransomware and botnet capabilities in a single package, Trend Micro security researchers reveal.

Dubbed Virobot, the threat not only encrypts files on infected machines, but it also ensnares the system into a spam botnet and leverages it to spread itself to other victims.

First discovered on September 17, 2018, Virobot checks compromised machines for the presence of specific registry keys to determine if the system should be encrypted.

The ransomware uses a cryptographic Random Number Generator to generate the encryption and decryption key, which is then sent along with machine-gathered data to the command and control (C&C) server via POST.

For encryption, the malware targets file types such as .txt, .docx, .xlsx, .pptx, .jpg, .png, .csv, .sql, .mdb, .php, .asp, .xml, .psd, .odt, and .html, among others.

Once the encryption process has been completed, the malware displays a ransom note and a ransom screen. The ransom note is written in French, but the malware is currently affecting users in the United States, Trend Micro reveals.

The malware’s server has been taken down, meaning that it can no longer encrypt files, as it requires communication with the C&C to do so.

Virobot, the security researchers discovered, also includes a keylogging feature. Logged key strokes from the infected machine are then sent to the C&C. Once connected to the server, the malware may also download files such as malware binaries, and execute them using PowerShell.

The botnet capabilities Virobot has been packed with include the use of an infected machine’s Microsoft Outlook to send spam emails to the user’s contact list. The malware sends either a copy of itself or a malicious payload downloaded from the C&C server.

“Individuals and enterprises should use a multi-layered approach to mitigate the risks brought by threats like ransomware,” Trend Micro said.


New Virobot malware combines ransomware and botnet capabilities
23.9.2018 securityaffairs
Ransomware

Security experts from Trend Micro discovered a new malware tracked as Virobot that combines ransomware and botnet capabilities.
Virobot encrypts files on infected machines and is also implements spam botnet abilities and leverages it target other systems.

Virobot was first spotted on September 17, 2018, experts pointed out that it is not associated with any known ransomware families.

The analysis of the infection chain revealed that once Virobot is downloaded to a machine, it will check the presence of specific registry keys (machine GUID and product key) to determine if the files on the system should be encrypted.

Then it leverages a cryptographic Random Number Generator to generate the encryption and decryption key, then send it along with data related to the infected machine to the command and control (C&C) server via POST.

The malicious code targets the most popular file types, including .txt, .docx, .xlsx, .pptx, .jpg, .png, .csv, .sql, .mdb, .php, .asp, .xml, .psd, .odt, and .html.

The experts highlighted a curiosity about the ransom note and ransom screen displayed by the malware, even if it is currently targeting users in the US, the ransom note is written in French:

Virobot

Virobot also implements a keylogging feature, collected keystrokes, it is also able to download additional files from the C&C server.

“Virobot also has a keylogging feature and connects back to its C&C server to send logged key strokes from an infected machine. Once connected to the C&C, it may download files – possibly another malware binary – and execute it using PowerShell.” reads the analysis published by Trend Micro.

The malware uses the infected machine’s Microsoft Outlook to implements the spam botnet capability and spread to the user’s contact list. Virobot will send to the victim’s contacts a copy of itself or a malicious file downloaded from its C&C server.

The Virobot malware is able to encrypt files after the successful connection with the C&C server, but at the time of writing the Command and Control infrastructure was taken down.

“Individuals and enterprises should use a multi-layered approach to mitigate the risks brought by threats like ransomware,” concludes Trend Micro.


New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms
18.9.2018 securityaffairs
Ransomware  Virus

Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms
Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.

Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.

The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.

“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).” reads the analysis published by Palo Alto Networks.

“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).”

The malicious code was attributed to a popular crime gang tracked as the Iron Group.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer.

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

Now the experts from Palo Alto Networks discovered the new XBash malware strain that combines botnet, coinmining, ransomware, and self-propagation. The botnet and ransomware features are observed in infections of Linux systems, while a coinminer behavior was seen in infections of the Windows servers.

The Xbash authors have implemented scanning capabilities used by the malware to search for vulnerable servers online. The malicious code search for unpatched web applications that are vulnerable to a series of known exploits or to brute force attack with a dictionary of default credentials.

“When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.” continues the report.

“Three known vulnerabilities are targeted:

Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.”

The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.

The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Hackers attempt to monetize their efforts through coin-mining activities on Windows systems or with ransomware based attacks on Linux servers running database services.

The XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and drops a ransom asking for the payment of 0.02 Bitcoin ($125) to recover them.

Xbash Xbash

Unfortunately, victims will never recover their data because the malware wipe data and not back it up.

“we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing).” continues the analysis.

“the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”

Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks. The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs

The code is still not active in the malware, likely crooks are working on its development.

Experts believe XBash will continue to evolve, for example including the miner component for Linux servers as well.

Further info, including IoCs, are reported in the analysis published by the experts.


Ransomware Disrupts Flight Boards at U.K. Airport
18.9.2018 securityweek
Ransomware

Bristol Airport in the United Kingdom was hit recently by a ransomware incident that caused disruption to flight information display systems, forcing staff to resort to whiteboards and markers.

Bristol Airport, which according to Wikipedia is the ninth busiest airport in the UK by passenger traffic, informed travellers on Friday that it had been experiencing “technical problems” with its flight information screens.

No flights were impacted, but the airport had to use alternative ways to help customers keep track of flights, including announcements made over the public address system and using markers to write down flight information on whiteboards and pieces of paper.

Bristol Airport hit by ransomware

The flight information screens were restored in key locations in the terminal by Sunday morning local time.

Bristol Airport representatives said they did not believe it was a targeted attack. They noted that the flight information screens and other applications were taken offline as a precaution after the malware made its way onto some administrative systems.

The airport said it did not pay any ransom, and claimed that it took longer to bring systems back online due to its “cautious approach.” Representatives said the incident did not impact or put at risk any safety or security systems.

Ransomware causing disruptions at an airport is not unheard of. Last year, airports in Ukraine were hit in both the Bad Rabbit and NotPetya attacks, although NotPetya later turned out to be a wiper malware disguised as a piece of ransomware.


New Python-based Ransomware Poses as Locky
14.9.2018 securityweek
Ransomware

A ransomware family used in attacks in July and August was posing as the infamous Locky ransomware that was highly active in 2016, Trend Micro researchers have discovered.

Written in Python and dubbed PyLocky, the new malware is packaged with PyInstaller, a tool that turns Python applications into standalone executables.

What makes PyLocky stand out from the crowd compared to other Python malware is anti-machine learning capability. It also uses the open-source script-based Inno Setup Installer and can pose a real challenge to static analysis methods, the security researchers say.

Furthermore, PyLocky has seen a highly concentrated distribution, with several spam emails targeting European countries, particularly France. Initially low, the spam volume increased in time.

A spam run observed in early August targeted French businesses, leveraging social engineering in an attempt to lure potential victims into clicking a link that redirects them to a malicious URL to download a ZIP file containing PyLocky.

Once installed on a victim’s machine, the malware attempts to encrypt image, video, document, sound, program, game, database, and archive files, among others. Overall, it targets a list of over 150 file types for encryption.

The ransomware abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. It also features anti-sandbox capabilities, sleeping for 999,999 seconds (around 11.5 days) if the affected system has a total visible memory size of less than 4GB.

The ransomware’s encryption routines are implemented using the PyCrypto library and leverage the 3DES (Triple DES) cipher. PyLocky iterates through each logical drive, generates a list of files, and then overwrites targeted files with an encrypted version.

After completing the encryption process, PyLocky drops a ransom note and also establishes communication with its command and control (C&C) server. The malware’s ransom notes are in English, French, Korean, and Italian, suggesting that its operators are aiming at broader campaigns.

“PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defence in depth. For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today’s threats, there are different vectors at the attackers’ disposal, which makes a multi-layered approach to security important,” Trend Micro concludes.


New PyLocky Ransomware stands out for anti-machine learning capability
13.9.2018 securityaffairs
Ransomware

Security experts from Trend Micro have spotted a new strain of ransomware involved in attacks in July and August, the malicious code was posing as the Locky ransomware.
Researchers at Trend Micro have detected a new ransomware family, dubbed PyLocky, that was used in attacks between July and August, the malware was posing as the Locky ransomware using its ransom note.

PyLocky is written in Python and it is packaged with the PyInstaller tool that is normally used to freeze Python programs into stand-alone executables.

PyLocky stands out for its anti-machine learning capability, it also leverages the open-source script-based Inno Setup Installer.

“In late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware. Although it tries to pass off as Locky in its ransom note, PyLocky is unrelated to Locky.” reads hte analysis published by Trend Micro.

“PyLocky is written in Python, a popular scripting language; and packaged with PyInstaller, a tool used to package Python-based programs as standalone executables.”

Experts warn of its ability to bypass static analysis methods due to the combined use of Inno Setup Installer and PyInstaller.

The PyLocky malware was distributed via spam emails most of which targeted European countries, particularly France.

Experts pointed out the spam campaign started low in volume, but the overall number of spam messages increased in time.

The infections chain sees spam messages distributing PyLocky to recipients luring them with socially engineered subjects. The emails include a link that redirects users to a malicious URL containing the PyLocky components.

“The malicious URL leads to a ZIP file (Facture_23100.31.07.2018.zip) that contains a signed executable (Facture_23100.31.07.2018.exe). When successfully run, the Facture_23100.31.07.2018.exe will drop malware components — several C++ and Python libraries and the Python 2.7 Core dynamic-link library (DLL) — along with the main ransomware executable (lockyfud.exe, which was created via PyInstaller ) in C:\Users\{user}\AppData\Local\Temp\is-{random}.tmp.” states the report.

pylocky ransomware

Once infected a system, PyLocky ransomware attempts to encrypt image, video, document, sound, program, game, database, and archive files, among others.

“PyLocky is configured to encrypt a hardcoded list of file extensions, as shown in Figure 4. PyLocky also abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. ” continues the report.

To avoid analysis tools, such as sandboxes, the maòicious code sleeps for 999,999 seconds, roughly around 11.5 days, if the total visible memory of the infected system is less than 4GB.

The encryption routines are implemented using the PyCrypto library and leverage the 3DES (Triple DES) cipher. PyLocky enumerated logical drives of the hot and generates a list of files that it uses to overwrites each file in the list with an encrypted version.

At the end of the process, the ransomware drops a ransom note that could be in English, French, Korean, or Italian, a circumstance that suggests possible targets of the operators behind the threat.

PyLocky also sends to the command and control (C&C) server information about the infected system.

“PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defence in depth. For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today’s threats, there are different vectors at the attackers’ disposal, which makes a multi-layered approach to security important,” Trend Micro concludes.


CryptoNar Ransomware Discovered and Quickly Decrypted
2.9.2018 BleepingComputer.com
Ransomware

This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free.

This ransomware was first discovered by MalwareHunterTeam and at first glance it looks like a ransomware with little to no distribution. While I would normally not write about ransomware like these, it was later learned that this ransomware had encrypted close to 100 victims.

Travis Green
@travisbgreen
Replying to @malwrhunterteam @demonslay335
Looks like 91 infections starting aug 21st.

7:55 PM - Aug 28, 2018
1
See Travis Green's other Tweets
Twitter Ads info and privacy
The good news is that Michael Gillespie was quick to create a free decryptor for this ransomware so victims can get their files back for free.

The CryptoNar Ransomware
When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted.

If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file's name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file's name.

Files encrypted by CryptoNar
Files encrypted by CryptoNar
When done encrypting the files, it then the sends public/private key pair to the attacker via email.

Send keys via SMTP
Send keys via SMTP
CryptoNar will then drop a ransom note named CRYPTONAR RECOVERY INFORMATION.txt that asks the victim to send $200 in bitcoins to the enclosed bitcoin address. When sending the coins, the attacker instructs the victim to enter their email address and listed ID in the "extra note" field of the bitcoin transaction.

CryptoNar
Ransom Note
A decryptor will then be launched and waits for the victim to enter a private key they would supposedly get after paying the ransom.

Crypto Nar Version 1.0

It is not known if the attacker will actually try and help a victim after they pay, but at this point it does not matter as there is a free decryptor available.

Free CryptoNar Decryptor created
The good news is that Michael Gillespie was able to create a free decryptor for CryptoNar that allows victims to get their files back for free.

Michael Gillespie
@demonslay335
Here's a free decrypter for CryptoJoker / CryptoNar #Ransomware (extensions ".cryptojoker" / ".cryptoNar"). Just requires either an encrypted/original file, or one encrypted file of a common type (e.g. .jpg, .png, .pdf, .doc, etc). https://download.bleepingcomputer.com/demonslay335/CryptoJokerDecrypter.zip … pic.twitter.com/D6yi96max1

1:05 AM - Aug 29, 2018
83
55 people are talking about this
Twitter Ads info and privacy

To use the decryptor, make sure you have both an encrypted file and its original counterpart and then download the decryptor from BleepingComputer.com..When looking for encrypted/non-encrypted pairs it can be a common file type such as .jpg, .png, .pdf, .doc, .xls, etc.
When ready, run the decryptor, select Settings, and then select Brute Forcer. Once in the brute forcer, select both of the requested files and click Start. The decryptor will then use the selected files to brute force the decryption key.

When one is found, close the Brute Forcer screen and the key should be loaded. Now click on Select Directory, select the C: drive, and click on the Decrypt button.

Files decrypted
Files decrypted
Your files should now be decrypted.


Organizations Hit With North Korea-Linked Ryuk Ransomware
23.8.2018 securityweek
Ransomware

A recent wave of ransomware attacks against organizations around the world have been linked to a notorious North Korean threat actor, security firm Check Point says.

The campaign appears highly targeted, with at least three organizations in the United States and worldwide severely affected. Because some victims decided to pay large ransoms in order to retrieve access to their files, the campaign operators are estimated to have netted over $640,000 to date.

Two ransom note versions were sent to victims, a longer, well-worded one that demanded a payment of 50 Bitcoin (around $320,000), and a shorter, more blunt note, demanding payments between 15-35 BTC (up to $224,000).

Dubbed Ryuk, the ransomware used in these attacks appears connected to Hermes, a piece of file-encrypting malware previously associated with the North Korean threat group Lazarus. Hermes too was used in targeted attacks, including the attack against the Far Eastern International Bank (FEIB) in Taiwan.

Thus, Check Point’s security researchers concluded that Lazarus could be responsible for the Ryuk ransomware as well, unless another actor was able to get Hermes’ source code and used it to build their own malware.

As Intezer and McAfee revealed not long ago, however, most North Korean malware can be linked to Lazarus via code reuse.

Ryuk’s encryption scheme, the researchers note, was built specifically for small-scale operations. Thus, not only is the infection carried out manually by the operators, but the malware itself infects only crucial assets and resources on the targeted networks.

The ransomware’s encryption logic resembles that found in Hermes, and the code used to generate, place and verify a marker to determine if a file was already encrypted is identical in both malware families. The function that invokes this routine conducts very similar actions in both cases.

Furthermore, both ransomware families drop to the disk files that resemble in name and purpose, and Check Point notes that such similarity of code “might well be a sign of an underlying identical source code.”

As part of the recent attacks, a dropper containing both the 32-bit and 64-bit modules of the ransomware was used. When run, Ryuk checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services belonging to antivirus, database, backup and document editing software.

The ransomware also achieves persistence onto the infected machines and attempts to encrypt network resources in addition to local drives. It also destroys its encryption key and deletes shadow copies and various backup files from the disk, to prevent users from recovering files.

The researchers also note that, from the exploitation phase through to the encryption process and the ransom demand itself, the Ryuk campaign is clearly targeted at organizations that can pay large ransom amounts.

Almost all of the observed Ryuk ransomware samples, the security researchers say, were provided with a unique wallet. Shortly after the victim paid the ransom, the attackers divided the funds and transmitted them through multiple accounts.

“We were able to spot a connection between these wallets, as funds paid to them were transferred to several key wallets at a certain point. This may indicate that a coordinated operation, in which several companies have been carefully targeted, is currently taking place using the Ryuk ransomware,” Check Point says


North Korea-linked Ryuk Ransomware used in a targeted campaign
23.8.2018 securityaffairs
Ransomware

Check Point reported that organizations worldwide have been targeted with the Ryuk ransomware that was developed by North Korea-linked threat actor.
Security experts from Check Point have uncovered a ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor.

The campaign appears as targeted and well-planned, crooks targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.

Some organizations paid an exceptionally large ransom in order to retrieve the encrypted files, CheckPoint confirms that the ransom amount paid by the victims ranged between 15 BTC to 50 BTC.

At least three organizations in the United States and worldwide have been severely affected, the attackers are estimated to have already netted over $640,000 to date.

The malicious code used in the attack was tracked as Ryuk ransomware, it appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

“Curiously, our research lead us to connect the nature of Ryuk’s campaign and some of its inner-workings to the HERMES ransomware, a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks.” reads the analysis published by Check Point.

“This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code.”

The HERMES ransomware was first spotted in October 2017 when it was involved in a targeted attack against the Far Eastern International Bank (FEIB) in Taiwan.

Of course, we cannot exclude that another attacker was in possession of the Hermes’ source code and used it to develop the Ryuk ransomware.

Ryuk ransomware

Experts highlighted that the encryption scheme of the Ryuk ransomware was built specifically for small-scale operations.

“Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.” continues the report.

Experts found many similarities between the encryption logic implemented in the Ryuk’s code and the one used in the HERMES ransomware.

Continuing the analysis, the experts discovered that both ransomware uses a quite identical dropper.

When executed the Ryuk ransomware conducts a Sleep of several seconds, then it checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services associated with to antivirus, database, backup and document editing software.

The ransomware destroys its encryption key and deletes shadow copies and various backup files from the disk in order to prevent victims from recovering their files.

It is interesting to note that almost all of the Ryuk ransomware samples analyzed by the experts were provided with a unique wallet. Once the victims have paid the ransom, the attackers divided the funds and transmitted them through multiple accounts.

“From the exploitation phase through to the encryption process and up to the ransom demand itself, the carefully operated Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.” concludes CheckPoint.

“Both the nature of the attack and the malware’s own inner workings tie Ryuk to the HERMES ransomware and arouse curiosity regarding the identity of the group behind it and its connection to the Lazarus Group.” Check Point says.


KeyPass ransomware
17.8.2018 Kaspersky 
Ransomware

In the last few days, our anti-ransomware module has been detecting a new variant of malware – KeyPass ransomware. Others in the security community have also noticed that this ransomware began to actively spread in August:

Notification from MalwareHunterTeam

Distribution model
According to our information, the malware is propagated by means of fake installers that download the ransomware module.

Description
The Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.

PE header with compilation date

When started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It then deletes itself from the original location.

Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments.

Command line arguments

KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.

The list of excluded paths

Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory.

The ransom note

Encryption scheme
The developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the beginning of each file.

Part of the procedure that implements data encryption

Soon after launch, KeyPass connects to its command and control (C&C) server and receives the encryption key and the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON.

If the C&C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the Trojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the victim’s files will be trivial.

GUI
From our point of view, the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks.

GUI of the trojan

This form allows the attacker to customize the encryption process by changing such parameters as:

encryption key
name of ransom note
text of ransom note
victim ID
extension of the encrypted files
list of paths to be excluded from the encryption

Paths excluded from encryption by default

Pseudocode of the procedure that shows the GUI by a keypress

Geography

IOC
901d893f665c6f9741aa940e5f275952 – Trojan-Ransom.Win32.Encoder.n
hxxp://cosonar.mcdir.ru/get.php


TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware
7.8.2018 securityaffairs
Ransomware

TSMC shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware.
Early in August, a malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories, the plants where Apple produces its devices.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

Now the company shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware that hit 200,000 computers across 150 countries in a matter of hours in May 2017.

WannaCry took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The infection caused one of the most severe disruptions suffered by TSMC as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants shut down an entire day of production.

It has been estimated that the overall impact on the revenue of TSMC would be approx $256 million.

Chief Financial Officer Lora Ho confirmed that the infection would have some impact on TSMC’s 2018 profit, but declining to elaborate on further details.

TSMC Apple infection

According to the manufacturer, it wasn’t a targeted attack, instead, the systems were infected “when a supplier installed tainted software without a virus scan” to TSMC’s network.

The malware rapidly spread within the company network and infected more than 10,000 machines in some of the company’s production plants, including Tainan, Hsinchu, and Taichung.

“We are surprised and shocked,” TSMC Chief Executive Officer C. C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened.”

WannaCry infected many other bit companies, the list of victims includes Boeing, Renault, and Honda,

TSMC confirmed that customers data were not compromised during the attack, it warned customers that shipment delays are expected.


Chip Giant TSMC Says WannaCry Behind Production Halt
6.8.2018 securityweek
Ransomware

TSMC Chip Factory hit by Malware

Image Source: Taiwan Semiconductor Manufacturing Co., Ltd.

Chipmaker giant Taiwan Semiconductor Manufacturing Co (TSMC) said Monday the computer virus that brought its production to a halt for two days was a variant of the WannaCry ransomware that hit users all around the world.

WannaCry infected more than 200,000 users in more than 150 countries last year, encrypting user files and demanding ransom payments from their owners to get them back.

TSMC -- a key Apple supplier -- said some its computer systems and equipment in its Taiwan plants were infected on August 3 during software installation, which is expected to cause shipment delays and cutting third-quarter revenue by two percent.

It comes as Apple is set to release new iPhone models later this year.

TSMC declined to specify which customers and products are affected by the brief outage, but it said no confidential information was compromised.

Chief Executive Officer C.C. Wei told reporters and analysts on Monday that the virus has been eliminated and all production is back online.

Wei ruled out the incident as a hack targeted at the company, but an oversight by employees to conduct virus scans properly.

"This is purely our negligence so I don't think there is any hacking behaviour," he said.

"We regret this. There won't be any more human errors," said Wei.

He added that TSMC will develop a more automated anti-virus procedure going forward.

The firm said it is in close contact with its customers to minimise the impact, and maintains its sales growth outlook for the year.


SamSam Ransomware: Patient, Persistent, Competent and Dangerous
1.8.2018 securityweek  
Ransomware

The SamSam ransomware has always been a bit different. Unlike many ransomware infections, its victims are targeted rather than random -- and the attacker establishes a presence on the victim network before beginning the encryption process.

Victims this year include the City of Atlanta, Allscripts, Adams Memorial Hospital, Colorado Department of Transportation and the Mississippi Valley State University. It could seem that SamSam targets health, education and government; but a new and detailed analysis of SamSam from Sophos shows this is not the case -- and its success rate is far higher than previously thought.

"Sophos have discovered that these three sectors account for fewer than half of the total number of organizations we believe have been victims of SamSam, and it's the private sector who have suffered the most (and disclosed the least)."

By following the money and tracking the Bitcoin payment wallets with help from Neutrino (a firm that specializes in tracking cryptocurrency flows), Sophos researchers have estimated that the SamSam attacker has netted more than $5.9 million dollars since version 1 (it is now at version 3) began being used in January 2016. The attacker is currently collecting an average of $300,000 per month. Sophos estimates that about 233 victims have paid a SamSam ransom.

The attacker is thought to be a single person working alone rather than a criminal or nation-state gang. He (or she) is proficient, although not perfect, in the English language; but probably comes from a country where English is not the first language. He does not boast about his exploits and has no known social media presence, where linguistic tells within has ransomware might provide clues to his identity. At this point, his identity and nationality are unknown.

Sophos researchers have tracked (PDF) the evolution of SamSam through its three versions. It shows a developer getting evermore proficient in his craft. The basic MO is to select the targets, possibly through publicly available search engines such as Shodan or Censys, to access the network, to elevate privilege and reconnoiter, and then encrypt everything he can access. The encryption itself is usually done overnight to reduce the chance of detection.

According to the researchers, version 3 usually affects entry through brute-forcing Windows RDP accounts. "While some may find this shocking," say the researchers, "a simple search on Shodan will reveal thousands of IP addresses accessible over port 3389, the default RDP port."

Once access to a domain user account is obtained, the attacker will typically use Mimikatz to harvest the credentials of the first domain admin to log on. This has been known on some occasions to take days, with the attacker simply waiting.

Armed with privileged access, the attacker starts to manually deploy the ransomware. First, he takes control of one of the victim's servers, which he uses as his command center. Then, he scans the network. If he can write a tiny text file to a computer's filesystem (called test.txt), the name of that file is added to a separate file stored on his command server and known as 'alive.txt'. "The attacker later uses this .txt file as a target list," report the researchers.

Deployment from the command server is usually done with the Sysinternals PsExec application, although the attacker has been known to switch to PowerAdmin's PaExec if the former is blocked. Once the attack is initiated, the attacker simply waits for payment.

One key element of SamSam is the extent to which stealth is used -- completely in keeping and supporting the attacker's low-profile approach to crime. "In version 3 of SamSam," say the reporters, "the general operation of the payload hasn't changed much since version 1, but the attackers have put significant efforts into creating a stealthier version of the malware."

One example of this is the order in which targeted files are encrypted -- anything smaller than 100 Mb immediately, and larger files in size order. SQL and MDF files (which are typically large and time-consuming to encrypt) are next; and finally, anything left that is not on an exclusion list. "This carefully curated approach enables the attacker to achieve a greater volume of encrypted files before the attack is spotted and interrupted."

Another example is the consistency with which the attacker deletes the files he uses one the device is encrypted, or if the attack is interrupted.

Payment is made in Bitcoin (BTC), and the attacker offers several initial options. Individual computers can be decrypted on payment of 0.8 BTC (as of July 2018). Full decryption -- regardless of the number of encrypted computers -- costs 7 BTC (around $40,000 at July 2018 exchange rates). Victims have 7 days to make payment; but there is at least one example of the victim being offered the option to reopen the countdown on payment of 0.5 BTC.

The bad news for victims is that there is no known way to recover SamSam encrypted files. The good news, if you can call it such, is that the attacker really does provide decryption, and even offers online support for those who have difficulties.

Sophos urges companies not to pay any ransom, but accepts the difficulties with SamSam. "Instead," say the researchers, "Sophos strongly recommends a comprehensive layered approach to security, to both avoid an initial attack, and enable system recovery through backups." However, they also note, "Securing an environment against a competent, persistent, and patient, human adversary is somewhat different from defending against the more conventional kinds of semi-automated, social engineering-driven threats more commonly seen in enterprise environments. And SamSam's own particularly damaging behavior sets it apart from many other ransomwares."


SamSam Ransomware operators earned more than US$5.9 Million since late 2015
1.8.2018 securityaffairs 
Ransomware

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1
SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

regularly patch against known vulnerabilities for the applications and operating systems;
keep regular backups;
use multi-factor authentication;
restrict access to RDP(on port 3389);


Ransomware attack against COSCO spread beyond its US network to Americas
1.8.2018 securityaffairs 
Ransomware

New revelations on the attack against COSCO confirm it was worse than initially thought, the ransomware spread beyond the US network.
Chinese shipping giant COSCO recently suffered a ransomware attack that disrupted some systems of the company in the United States.

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale.” COSCO said in an official statement. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered at 16:00 (Beijing Time) on 25th July in all the regions except the Americas. As of now, all the business operations have been back to normal in the regions with network recovered.”

New revelations on the attack confirm it was worse than initially thought, the malicious code spread beyond the US network of the company and infected systems in other countries, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.

“Chinese shipping giant COSCO said a ransomware attack has spread beyond its US network to the broader Americas, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.” reported the CBR website.

“That’s according to maritime intelligence house Lloyds List, which has reported that customers were also said to be facing issues in the UK and Turkey.”

Due to local network breakdown within the America regions, local email and network telephone were not able to work properly at the moment of the attack.

The attack on the world’s largest shipping company by dry weight tonnage has taken out emails and phones.

The company published a list of alternative Yahoo! email addresses to its customers for ordinary communications.

Security experts warned that COSCO fleet could still be at risk following the attack.

“Although COSCO has been quick to respond to this hack, the virus may have been dormant for some time, so I would not be surprised if other systems – shore- and ship-based systems – have been breached. We strongly recommend to whoever discovered the attack to thoroughly verify the breach has been contained and has not infected any ships in the COSCO fleet.” Maritime cybersecurity specialists Naval Dome told IHS Fairplay:


The ransomware attack against COSCO doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”


Dutch Court Sentences CoinVault Ransomware Authors to Community Service
28.7.2018 securityweek
Ransomware

Two Dutch men were sentenced on Thursday to 240 hours of community service for creating and using the CoinVault ransomware.

The suspects are brothers, identified by Dutch media as Melvin and Dennis van den B., currently aged 25 and 21, respectively. They were both arrested in 2015 and accused of creating CoinVault, one of the first pieces of file-encrypting ransomware, and its successor, Bitcryptor.

Their trial took place on July 12 and they have now been sentenced to 240 hours of community service, which is the maximum time of community service someone can serve. They have also been ordered to pay restitution to some of their victims.

Prosecutors asked for a three-month prison sentence and nine months suspended in addition to community service. However, the sentence has been reduced due to the fact that the brothers cooperated with the police, including to help victims recover their files, and have not committed any other crimes since their arrest in 2015.

The suspects were accused of hacking into computers and extorting nearly 1,300 individuals. However, Kaspersky Lab, which investigated CoinVault back in 2014 when the threat emerged and helped police identify the hackers, noted that there were actually roughly 14,000 victims worldwide.

A decryption tool for the CoinVault ransomware is available from the NoMoreRansom initiative, but some victims have not been able to recover their files due to some implementation errors that prevented recovery even with the decryption keys.

The cybercriminals were identified by Dutch police after Kaspersky researchers found a first name in the malware code. According to some reports, the CoinVault authors also failed to hide their real IP address on at least one occasion.

“Cybercrime doesn’t pay,” said Kaspersky Lab researcher Jornt van der Wiel, commenting on the case. “If you become a victim of criminal or ransomware activity, keep your files and report the incident to the police. Never pay the ransom and be confident that not only will the decryption tool appear, but also that justice will triumph in regards to the criminals.”


Ransomware attack disrupted some systems of the shipping giant COSCO in the US
28.7.2018 securityaffairs
Ransomware

The Chinese shipping giant COSCO was reportedly hit by a ransomware based attack, the attack occurred in the American region.
According to COSCO a “local network breakdown” disrupted some systems in the United States.

Media confirmed the incident was the result of a ransomware attack and quoted a company spokesman as the source.

“The China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyberattack on Tuesday, July 24.” states local media.

“A spokesman for the Shanghai-based company, which acknowledged the ransomware attack Tuesday, said that the company’s operations outside the United States were not affected.”

cosco ransomware

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations.” reads the security advisory published by COSCO.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,”

The Journal of Commerce, citing COSCO Vice President Howard Finkel, reported communications between the carrier’s U.S. operations and its customers has been slowed due to the cyber attack. Digital communications were disrupted and the communications were going on via telephone.

View image on Twitter
View image on Twitter

JOC.com
@JOC_Updates
Cosco responds to cyber attack on US operations #maritime #containers http://bit.ly/2uMjJJS

10:52 PM - Jul 24, 2018
13
See JOC.com's other Tweets
Twitter Ads info and privacy
Port of Long Beach spokesman Lee Peterson confirmed the attack and added that it is monitoring the situation.

According to the popular security expert Kevin Beaumont‏, the ransomware has infected a portion of the infrastructure that hosts the company website (cosco-usa.com), phone and email systems, and WAN and VPN gateways.

Catalin Cimpanu
@campuscodi
· 26 Jul
Replying to @GossiTheDog
Their global website is still working fine. Only their US site is down from what it appears.http://lines.coscoshipping.com/home/News/detail/15325081261286611042/50000000000000231?id=50000000000000231 …

Kevin Beaumont

@GossiTheDog
Yes, it is only Cosco Americas Inc (CAI) impacted. Anything on this network: https://ipinfo.io/AS32604 - includes their website http://www.cosco-usa.com , their phone system, WAN and VPN gateways, email etc.

12:54 AM - Jul 26, 2018
1
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy

Kevin Beaumont

@GossiTheDog
· 26 Jul
Replying to @GossiTheDog
If anybody from Cosco is reading I help with anything like this free of charge for the insight gained, send me an email if you want.

Kevin Beaumont

@GossiTheDog
Cosco have put out a statement confirming the issue. I understand they’re now on their 4th day of downtime for CAI (Cosco Americas Inc) business unit. https://www.itwire.com/security/83772-cosco-s-us-arm-hit-by-windows-ransomware.html …

9:26 AM - Jul 26, 2018
Cosco's US arm hit by Windows ransomware
The North American arm of Chinese shipping conglomerate Cosco has been hit by Windows ransomware, affecting communications at its US locations.

itwire.com
17
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy
At the time of writing the affected U.S. systems still appear to be offline.

The good news is that the attack doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”


Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution
28.7.2018 securityaffairs
Ransomware

On Thursday, two Dutch brothers were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.
In 2015, Melvin (25) and Dennis van den B. (21), were arrested from a district court in Rotterdam for their alleged involvement in CoinVault ransomware creation and distribution.

On Thursday, the Dutch men were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

The men were accused of breaking into computers, make other people’s work inaccessible, and extortion of 1295 people.

“The court today sentenced two men to hack computers and then extort a large group of people. The suspects were 22 and 18 years old at the time. The court finds that there are very serious facts and that a substantial prison sentence is in place.” reads the Rechtspraak.

“The reasons for not imposing an unconditional prison sentence are the fact that they have cooperated fully in the police investigation and in limiting the (digital) damage, their blank criminal record and that they have not committed any new criminal offenses in the past three years. “

CoinVault ransomware was first spotted in the wild in May 2014, it infected more than 14,000 Windows computers worldwide, most of them in the Netherlands, the US, the UK, Germany, and France.

In 2015, after the arrest of the suspects, the authorities seized the command and control server. Kaspersky researchers released a decryption tool for the ransomware allowing victims to decrypt their files for free.

CoinVault ransomware
The two suspects are Duch brothers and were identified with the help of experts from Kaspersky Labs due to bad opsec. The experts from Kaspersky reverse-engineered the malicious code created by the duo and discovered the full name of one of the suspects and their IP address on the command and control server.

“Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path.” reported Kaspersky.

The two men, that have a clean criminal record, avoided the jail by collaborating in the investigation conducted by the authorities. The course sentenced them with 240 hours of community service, that corresponds to the maximum term of community service condemned people can serve.
The court has also ordered the Dutch brothers to pay compensation to some of their victims.

In order to protect your computer from malware:

Ensure your system software and antivirus definitions are up-to-date.
Avoid visiting suspicious websites.
Regularly backup your important files to a separate drive or storage that are only temporarily connected.
Be on high alert for pop-ups, spam, and unexpected email attachments.


Shipping Giant COSCO Hit by Ransomware
26.7.2018 securityweek
Ransomware

Chinese state-owned shipping and logistics company COSCO was reportedly hit by a piece of ransomware that disrupted some of its systems in the United States.

COSCO, one of the world’s largest shipping companies, described the incident as a “local network breakdown” in the Americas region. The firm says it has suspended connections with other regions while it conducts an investigation.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,” COSCO stated.

While COSCO’s statement does not mention a cyberattack, the company told some news outlets that the disruptions are the result of a ransomware attack.

Cosco responds to ransomware attack

According to researcher Kevin Beaumont‏, the impacted infrastructure hosts COSCO’s website (cosco-usa.com), phone and email systems, and WAN and VPN gateways. The expert pointed out that the company resorted to using Twitter and Yahoo email accounts to communicate with customers.

The company’s U.S. systems still appear to be offline at the time of writing. It’s unclear if this was a targeted attack or if COSCO’s systems became infected as part of an opportunistic ransomware campaign.

If COSCO was truly hit by ransomware – it’s not uncommon for companies to misclassify cyber threats in the initial phases of an investigation – it would not be the first time a major shipping company has fallen victim to this type of attack.

One of the victims of last year’s NotPetya campaign, which caused losses of hundreds of millions of dollars for several major companies, was Danish shipping giant A.P. Moller–Maersk, which revealed that the incident forced its IT team to reinstall software on its entire infrastructure, including 45,000 PCs and 4,000 servers.

As a result of the attack, Maersk employees had to manually process 80 percent of the work volume while systems were being restored and the incident cost the company over $300 million.


Ransomware Attack Hits Health Firm LabCorp

20.7.2018 securityweek Ransomware

Burlington, North Carolina-based LabCorp took some of its systems offline last weekend after discovering that some had been infected by ransomware.

LabCorp, a company that provides “diagnostic, drug development and technology-enabled solutions for more than 115 million patient encounters per year,” serves hundreds of thousands of customers nationwide and processes tests on more than 2.5 million patient specimens per week.

With revenues that topped $10 billion last year, the health company operates a network of more than 1,900 patient service centers (PSCs) nationally and employs about 60,000 people.

In an 8-K filing with the U.S. Securities and Exchange Commission on Monday, the company revealed that, over the weekend of July 14, it detected suspicious activity on its network and decided to take some systems offline to contain the activity.

“The activity was subsequently determined to be a new variant of ransomware,” the health firm said, responding to a SecurityWeek inquiry on the attack.

“LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system. This has temporarily affected some test processing and customer access to test results,” the company said.

As of Monday, testing operations had been already resumed and the firm was working on bringing additional systems and functions online.

“Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed, and we are working to restore additional systems and functions over the next several days,” the company told SecurityWeek.

The ransomware, LabCorp says, only impacted its Diagnostics systems but did not affect Covance Drug Development systems. The health firm also revealed it has “engaged outside security experts and is working with authorities, including law enforcement.”

For the time being, the “investigation has found no evidence of theft or misuse of data,” the company said.


A few days after discovery of GandCrab ransomware ver 4.0, experts found 4.1 version
19.7.2018 securityaffairs
Ransomware

Security experts from Fortinet recently detected a new version of the GandCrab ransomware, ver 4.1, that is being distributed through compromised websites
A few days ago, I wrote about the return of the GandCrab ransomware (v4), a new version appeared in the threat landscape and experts at BleepingComputer first reported it.

GandCrab ransomware is a young threat, it first appeared in the wild early this year, but rapidly evolved and it authors improves it across the months. As of March, the ransomware had infected over 50,000 systems and netted its operators over $600,000 in ransom payments.
Security experts from Fortinet recently detected a new version of the threat, the GandCrab ransomware 4.1 that is being distributed through compromised websites designed to appear like download sites for cracked applications.

As the GandCrab ransomware 4 version, the new variant uses the Salsa2.0 stream cipher to encrypt data instead of the RSA-2048 encryption that was used in early versions of the threat.

The code of the latest variant 4.1 includes a list of websites to which the malware connects to sends data related to the infected machine (i.e. IP address, username, computer name, network domain, and, if present, a list of anti-malware tools on the system).

“Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.” reads the analysis published by Fortinet.

“With this new version, GandCrab has added a network communication tactic that was not observed in the previous version.”

gandcrab ransomware

Why does the new variant send data to a large number of websites?

According to Fortinet, there is no evidence that those websites in the hard-coded list have actually been compromised, this circumstance suggests the authors of the malware are testing the functionality or have put it there as a diversionary tactic.

“However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab.” continues the analysis.

“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour.”

The analysis of the ransomware revealed that the GandCrab ransomware 4.1 kills numerous processes that can interfere with the file encryption process. For example, it kills msftesql.exe, sqlagent.exe, oracle.exe, msaccess.exe, powerpnt.exe, and wordpad.exe to encrypt high-value files used by most popular applications, such as Microsoft Office Files, Steam, Oracle, etc.

The experts from Fortinet highlighted that there is no evidence that the GandCrab ransomware 4.1 is also able to spread via SMB shares, such as WannaCry and Petya/NotPetya.

“Over the past few days, numerous reports have been circulating claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit”” continues the analysis.

GandCrab ransomware 4

“However, in spite of this string, we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.”

Summarizing the threat continues to evolve, but it can not spread via SMB shares yet.


Downward Trend in Healthcare Ransomware Attacks May be Temporary
19.7.2018 securityweek 
Ransomware

Confirming a trend noted by other researchers, a new report from network security firm Cryptonite notes that ransomware incidents have declined over the last six months.

Cryptonite's Healthcare Cyber Research Report (H1, 2018) draws its conclusions from an analysis of 'IT/Hacking' incidents reported to the Health and Human Services Office of Civil Rights (HHS/OCR) between January 1, 2018 and June 30, 2018, supplemented by its own research.

The report (PDF) notes that ransomware events impacting more than 500 patient data records dropped from 19 in the first half of 2017 to eight in the first half of 2018 -- a decrease of 57%. At the same time, however, the number of patient records (ePHI) breached in the first half of 2018 has increased from 1,674,793 in the first half of 2017 to 1,928,432 in the first half of 2018.

The implication is that while ransomware is not currently either the most favored or most successful method of attacking the healthcare industry, the attraction of patient record data is as strong as ever.

"Medical records," explains the report, "are prime targets, as this data is highly prized to support identity theft and financial fraud. Medical records are an attractive commodity on the dark web where they demand high premiums from criminal purchasers."

Cryptonite believes that one of the reasons for the decline in ransomware is general improvements in healthcare security. "Customers have started to add micro-segmentation to networks, as well as specialized software to address ransomware threats. In general, in the largest hospitals, new Zero Trust technologies have been added to the existing mix of defense in depth technologies to expand and harden the defensive perimeters."

However, it suspects that this may be only a temporary respite. "We do believe that ransomware still presents a formidable threat to healthcare and expect new variants, such as AI based malware, to present very difficult challenges to healthcare institutions later in 2018 and into 2019."

At the beginning of 2018, MIT Technology Review published 'Six Cyber Threats to Really Worry About in 2018'. One of these is the weaponization of artificial intelligence. Hackers, it suggested, are "likely to use AI to help design malware that's even better at fooling 'sandboxes', or security programs that try to spot rogue code before it is deployed in companies' systems."

It is the potential weaponization of AI to support ransomware that Cryptonite feels might fuel a resurgence of ransomware attacks over the next year.

In the meantime, Britton White, security & HIPAA compliance advisor at Fortified Health Security, fears that any reported decline in ransomware is likely to give a false sense of optimism -- and potentially lead healthcare organizations to relax their vigilance. "I've not seen anyone address ransomware in their security training and awareness program or disaster recovery plan," he told SecurityWeek. "In the state of Tennessee just two weeks ago, a breach notice was sent out to thousands of people due to a local Memphis organization getting hit with ransomware. Adding to it, they're a business associate to a number of major hospitals in the area, so they had to be notified as well. It's a huge mess."

While the number of ransomware attacks has decreased over last year, the number of breached patient records has grown from 1,767,955 in the second half of 2017 to 1,928,432 in the first half of 2018 -- an increase of 9.08%. "The positive trend in reduction of the use of ransomware is overshadowed by the continued high volume of major attacks," says Cryptonite. "Healthcare insurers, hospitals... and a broad variety of other important health entities such as surgical centers, skilled nursing facilities, urology centers, vision surgical centers, cancer treatment centers, MRI/CT-scan centers and diagnostic laboratories fall victim to these attacks every month."

But White points out that these statistics are official numbers only. "Bottom line is, ransomware continues to be a huge problem for all healthcare organizations. How many healthcare organizations haven't reported being hit with ransomware? I'd imagine they'd prefer to remain off the radar as much as possible," he told SecurityWeek. "Everyone needs to remain vigilant and ensure they have the ability to recover as quickly as possible if/when they get hit."

Rockville, Maryland-based Cryptonite emerged from stealth mode in October 2017. A spin-off of Maryland defense contractor Intelligent Automation (IAI), Cryptonite is led by President and CEO Michael Simon, and Justin Yackoski, CTO and former lead researcher at IAI.


GandCrab: The New King of Ransomware?
19.7.2018 securityweek 
Ransomware

Cryptominers have plateaued, GandCrab is the new king of ransomware, adware -- surprise! -- is as prolific as ever, and VPNFilter might herald a new genre of sophisticated multi-purpose malware. These are some of the conclusions drawn from the Malwarebytes Cybercrime tactics and techniques report for Q2, 2018.

The details come from an analysis (PDF) of the telemetry obtained from the millions of computers using Malwarebytes software. It confirms what has been seen elsewhere: "Ransomware detections dropped this quarter on both the consumer and business sides by 12 and 35 percent, respectively."

This doesn't mean that ransomware has gone away. GandCrab has been the most prolific, partly down to its use by the Magnitude botnet. A decryptor for GandCrab is available on the NoMoreRansom website; but Malwarebytes warns, "there's always a risk that the latest versions being distributed by various exploit kits have no solution in place."

Other new ransomwares highlighted in the report demonstrate either ends of the sophistication spectrum. Spartacus is simple. Although there is no current decryptor, the report suggests, "Spartacus is the kind of software one expects to find offered on a script kiddie forum. There's no online functionality whatsoever." It adds that it seems likely (because the RSA key is embedded in the ransomware), that the private key is held on the author's server. "Decryption for all victims is possible, should this key ever be leaked."

SamSam resides at the sophisticated end of the spectrum. It has had high profile success at the City of Atlanta and Hancock Health this year. "While SamSam has been around for some time, recent evolutions in the attack vector and methodology have proven novel in their approach and successful for the attackers -- raking in over $1 million this year," comments Malwarebytes. Unlike many other ransomwares, SamSam specifically targets and compromises its victims before encrypting the files.

Many commentators have noted that criminal focus has shifted from ransomware to cryptomining in recent months. Malwarebytes telemetry suggests that cryptomining growth has now flattened. It is already declining in the consumer arena, and the firm expects to see it also decline in business attacks next quarter. It suspects that criminals are not receiving the returns on effort they expected; but warns that growth or decline might depend on whether the value of crypto coins goes up or down. Business detections in Q2 grew by just 5%, while consumer detections fell by 36%.

Adware, always near the top of all malware detections, is on the opposite trajectory. Consumer detections grew by 19% (making it the top consumer threat), while business detections fell by 7% (making it the third most prolific threat).

The fastest growing threat for both consumers and businesses has been the return of the backdoor -- growing by 442% up to number three for consumers, and by 109% up to number four for businesses. Malwarebytes puts much of this growth to a malware spreading campaign it refers to as Backdoor.Vools. Since it uses the worm features that exploit vulnerable SMB protocols, Malwarebytes expects it to hang around for months to come.

However, it warns, "The primary fear of Vools' capabilities is not due to its mining component or even its use of ETERNALBLUE, but the additional threats that this malware can and will install on the system once cryptomining goes out of fashion. Based on plummeting cryptocurrency values over the last few months, that time is going to come sooner than later."

While backdoors became more popular, spyware dropped in popularity -- at least in business detections. In consumer detections it grew by 32%; but in business detections it fell 41%, dropping from the most detected malware to the fifth most detected. "The top spyware for Q2," notes the report, "was the notorious TrickBot, which added functionality to steal cryptocurrency wallets from its victims." However, Malwarebytes suspects that the fall will continue, and spyware may not be in the top ten threats for business in Q3.

The report reserves particular attention for VPNFilter, "malware that reportedly infected over 500,000 small-office and consumer-grade routers and NAS devices." The FBI has said that Russian government-linked Fancy Bear (APT 28) is responsible for the malware; and although the initial infection vector is unknown, an understanding of its capabilities is growing. It is multi-stage malware that eventually has wide-ranging functionality. Stage 2 can download files, restart devices, copy data, execute programs, kill processes, and set proxies and other configuration parameters.

Stage 3, downloaded by stage 2, establishes a Tor client to send stolen data back to the authors. The malware, notes the report, "is not only capable of harvesting usernames and passwords, but can also change webpages and insert artificial data to deceive users while, at the same time, draining accounts in the shadows. VPNFilter could also be used to perform DDoS attacks or as a catalyst to install other software like coin miners."

Malwarebytes believes that the end of Q2 2018 and the beginning of Q3 is "the cusp of another significant change in the cybercrime world." It believes that cryptomining will continue to decline, but that ransomware will stage a comeback. It expects more activity from exploit kits, but they will not regain their earlier importance. It does, however, expect data-stealing threats to increase. Since GDPR will limit the time for companies to retain the personal information of their customers, criminals will resort to stealing it directly from the customer.

But perhaps most importantly Malwarebytes believes that VPNFilter might spawn copycats that will target widely-used devices -- and "a new age of IoT malware, long predicted, may finally come to pass."

Santa Clara, Silicon Valley-based Malwarebytes raised $50 million in a Series B funding round from Fidelity Management and Research Company in January 2016, bringing the total raised by the firm to $80 million.


Flashpoint Launches Ransomware Response & Readiness Service
19.7.2018 securityweek 
Ransomware

Threat intelligence and research company Flashpoint on Wednesday announced the launch of a new service designed to help organizations prepare and respond to ransomware and other types of cyber extortion incidents.

The new Threat Response & Readiness Subscription is available immediately, both as an extension to Flashpoint’s other business risk intelligence offerings and a standalone service that can be purchased separately. Pricing is customized based on the customer’s requirements for response and readiness engagements.

The readiness part of the service includes ransomware workshops, tabletop exercises (TTX), and pre-negotiated rates and engagement hours. The workshops are designed to educate the customer’s employees on ransomware, including how it works, how organizations can become infected, attacker profiles, and cryptocurrencies.

The TTX involves discussing simulated scenarios, assessing the effectiveness of current response plans, establishing roles and responsibilities, and improving coordination.

As for incident response, Flashpoint provides research on the threat actor launching the attack, engages with the attacker in an effort to determine appropriate mitigations, and even helps the victim acquire cryptocurrency in case they decide to pay the ransom.

“While law enforcement and the security community generally do not recommend that victims pay ransoms or extortion demands, in some cases it is the most reasonable decision, particularly for organizations concerned with the consequences of impermissible downtime and the inaccessibility of critical systems or data,” Tom Hofmann, VP of Threat intelligence at Flashpoint, told SecurityWeek.

“Determining whether or not to pay a ransom or extortion demand is a highly individual and situational decision. Deciding factors generally include available evidence, information, estimated impact, and perhaps most importantly, the estimated validity of the attacker’s claims—in other words, if a payment is made, will the attacker actually unlock or deliver the data?” Hofmann added.

As part of the response service, Flashpoint directly engages with the attacker on behalf of the customer to verify if the threat is real and if the hackers’ claims are credible, determine if the compromised data may be recovered by other means, identify mitigations, and, if necessary, pay the ransom.

Analyzing the threat also involves investigating the digital wallet accepting the ransom or extortion payment, which can provide insight into the validity of the attacker’s claims.

“In some cases, suspected attackers are actually just automated bots attempting to scam victims into paying and have no intention of encrypting or otherwise compromising the victim’s data. If analysis reveals that a unique wallet has not been configured for each unique infection, it is an indicator that the attacker may be less sophisticated, an automated bot could potentially be involved, and further analysis is likely required,” Hofmann explained.

Flashpoint strongly discourages any individual or organization from engaging directly with the threat actor on their own, due to “the inherent difficulties and security risks involved,” Hofmann said.


GandCrab Ransomware Spreads Via NSA Exploit
12.7.2018 securityweek 
Ransomware

GandCrab, a ransomware family that has received numerous updates in recent months, is now attempting to infect Windows XP machines using the NSA-linked EternalBlue exploit.

The malware is usually spreading via spam emails, but GandCrab 4, which first emerged earlier this month, is being distributed via compromised websites, Fortinet says. The malware now appends the .KRAB extension to the encrypted files.

The new variant also includes an overhaul in terms of code structure, has switched to the Salsa20 stream cipher for data encryption, and also removed some of the older features. More importantly, it no longer requires command and control (C&C) communication to encrypt files.

“For this latest release, we have found numerous infected websites injected with malicious pages. These pages instantly redirect users to a separate page containing the actual download link leading to the GandCrab executable,” Fortinet explains.

Both the malware executable and the download links are being updated regularly, the security researchers say. In fact, within days after version 4 emerged, the ransomware authors released GandCrab 4.1, which has already showed signs of network communication.

More importantly, as security researcher Kevin Beaumont has discovered, the ransomware is also attempting to spread through the National Security Agency’s EternalBlue SMB exploit.

The most interesting aspect of this new capability is the fact that Windows XP and Windows Server 2003 systems too are targeted, along with modern operating systems.

The EternalBlue exploit targets a security bug in Windows’ Server Message Block (SMB) on port 445.The flaws, however, only impact older operating system versions, mainly Windows XP and Windows 7.

The exploit wasn’t previously working on Windows XP out of the box, but that did not prevent ransomware such as WannaCry to attempt to spread using it. In fact, numerous malware families have been abusing the exploit to date, including the NotPetya wiper.

Microsoft patched the vulnerability that EternalBlue targets before the exploit became public, and even pushed an emergency patch for Windows XP to keep users safe from WannaCry.

Thus, as Beaumont points out, the best defense against GandCrab and any malware spreading via EternalBlue is to apply the available patch for all operating systems, including the older Windows XP and Windows Server 2003.

“Many antivirus products have dropped support for Windows XP and 2003, which makes this problematic. You probably want to make sure staff know not to download things from BitTorrent, install unknown software, run keygens, access random USB sticks etc.,” Beaumont notes.


New Rakhni variant could infect systems with either a ransomware or a miner
7.7.2018 securityaffairs
Ransomware

Security researchers at Kaspersky Labs have discovered a new strain of the Rakhni malware that could infect systems with either a ransomware or a cryptocurrency miner.
Experts from Kaspersky Labs have discovered a new strain of the Rakhni ransomware family that could infect systems with either a ransomware or a cryptocurrency miner depending upon their configurations.

“Way back in 2013 our malware analysts spotted the first malicious samples related to the Trojan-Ransom.Win32.Rakhni family.” reads the analysis published by Kaspersky.

“Now the criminals have decided to add a new feature to their creation – a mining capability. In this article we describe a downloader that decides how to infect the victim: with a cryptor or with a miner.”

Rakhni ransomware family

The Rakhni malware is being spread via spear-phishing messages that have weaponized MS word file in the attachment.

Once the victims opened the document, it will prompt them to save the document and enable editing. The document contains a PDF icon that if clicked will launch a malicious executable and immediately displays a fake error message box upon execution.

The message informs the victim that it is impossible to open the PDF file because a system file is missing.

In the background, the Rakhni malware makes anti-VM and anti-sandbox checks to determine if it is possible to infect the system. If the malware determines that it is possible to infect the system, it performs more checks to decide if deliver a ransomware or cryptocurrency miner.

“The decision to download the cryptor or the miner depends on the presence of the folder %AppData%\Bitcoin. If the folder exists, the downloader decides to download the cryptor.” continues the analysis.
“If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component, which is described below in the corresponding part of the article.”
If the target system has a ‘Bitcoin’ folder in the AppData section, the malware first terminates all processes that match a predefined list of popular applications, then encrypts files with the RSA-1024 encryption algorithm and then displays a ransom note via a text file.

Before encrypting files with the RSA-1024 encryption algorithm, the malware terminates all processes that match a predefined list of popular applications and then displays a ransom note via a text file.

If the ‘Bitcoin’ folder doesn’t exist and the machine has more than two logical processors the malware drops the MinerGate utility to mine Monero (XMR), Monero Original (XMO) and Dashcoin (DSH) cryptocurrencies in the background.

This variant of the Rakhni malware installs a root certificate that’s stored in its resources and every executable it downloads is signed with this certificate. We have found fake certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated.
Experts also noticed that the malware uses the CertMgr.exe utility to install fake root certificates that claim to have been issued by Microsoft Corporation and Adobe Systems Incorporated in an attempt to disguise the miner as a trusted process.

If the infected system doesn’t have a ‘Bitcoin’ folder and has only a single logical processor, the malware activates the worm component that allows the malicious code to spread among all the computers in the local network using shared resources.

“As one of its last actions the downloader tries to copy itself to all the computers in the local network. To do so, it calls the system command ‘net view /all’ which will return all the shares and then the Trojan creates the list.log file containing the names of computers with shared resources” the researchers report.

“For each computer listed in the file the Trojan checks if the folder Users is shared and, if so, the malware copies itself to the folder \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup of each accessible user,”

The experts also noticed that the malware implements spyware capabilities.

Most of the infections are in Russia (95.5%), other systems infected with the malware are in Kazakhstan (1.36%), Ukraine (0.57%), Germany (0.49%), and India (0.41%) as well.

Further details including the IoCs are reported in the analysis published by Kaspersky.


The GandCrab ransomware V4 appears in the threat landscape
4.7.2018 securityaffairs
Ransomware

A new variant of the infamous GandCrab ransomware V4 was released during the weekend, experts shared details of the threat,
A new version of the dreaded GandCrab ransomware (V4) was released during the weekend and according to the experts it included numerous changes.

Fly
@china591
New #GandCrab version "V4" GANDCRAB V4 Ransomware – Remove and Restore .KRAB Encrypted Files

Fly
@china591
Replying to @malwrhunterteam and 2 others
https://www.virustotal.com/#/file/ef7b107c93e6d605a618fee82d5aeb2b32e3265999f332f624920911aabe1f23/detection …https://app.any.run/tasks/daa35edf-94dc-416b-a7b1-fd45b6900c43 …

MD597a910c50171124f2cd8cfc7a4f2fa4f
SHA-13737d782cb64fa92d2c42f3c2857ee2295dc8aa4
Authentihashd64152842b2b787a86bb5dd2084ae40efd9914df8a880eb242f67ce5447a46f6

10:29 AM - Jul 3, 2018
See Fly's other Tweets
Twitter Ads info and privacy
The GandCrab ransomware V4 uses different encryption algorithms (likely the Salsa20 stream cipher) and a new TOR payment site (gandcrabmfe6mnef.onion), it appends the “.KRAB” extension to the encrypted file’s names and use a new ransom note name.

GandCrab ransomware V4

Marcelo Rivero
@MarceloRivero
· 3 Jul
#GandCrab #v4 🦀🆕
[+] Extension: ".KRAB"
[+] Internal version: 4.0
[+] Note: KRAB-DECRYPT.txt
[+] Tor: gandcrabmfe6mnef[.]onion
[-] No more wallpaper routine and no C2C.https://beta.virusbay.io/sample/browse/97a910c50171124f2cd8cfc7a4f2fa4f … pic.twitter.com/dvw604AKBG

Marcelo Rivero
@MarceloRivero
#GandCrab V4 internal version: 4.0 - seems to use now #Salsa20 stream cipher 🧐 pic.twitter.com/Op01bBC50g

4:42 AM - Jul 3, 2018
View image on Twitter
12
See Marcelo Rivero's other Tweets
Twitter Ads info and privacy
The GandCrab authors left a message in the code for the computer science professor at the University of Illinois at Chicago Daniel J. Bernstein who created the Salsa20 algorithm.

@hashbreaker Daniel J. Bernstein let's dance salsa <3
According to a malware researcher Fly, the GandCrab ransomware V4 is currently being distributed through fake software crack sites.

“The ransomware distributors will hack legitimate sites and setup fake blogs that offer software crack downloads. When a user downloads and runs these cracks, they will install the GandCrab Ransomware onto the computer.” wrote Lawrence Abrams from Bleeping Computer.

Like previous variants, when GandCrab ransomware V4 is executed it will scan the computer and network shares for files to encrypt.

Lawrence added that this variant enumerates all shares on the network and not just mapped drives. Once encrypted files, the ransomware will create ransom notes named KRAB-DECRYPT.txt that includes payment instructions. The ransom amount is currently $1,200 USD worth of DASH (DSH) cryptocurrency.

GandCrab ransomware V4

The TOR payment site includes a support section where victims can send messages to the developers and request to decrypt one file for free as the proof of their abilities.

The bad news is that, at this time, victims of GandCrab ransomware v4 cannot decrypt their files for free.


Ransomware and malicious crypto miners in 2016-2018
4.7.2018 Kaspersky
Ransomware
KSN Report: Ransomware and malicious cryptominers 2016-2018

Ransomware is not an unfamiliar threat. For the last few years it has been affecting the world of cybersecurity, infecting and blocking access to various devices or files and requiring users to pay a ransom (usually in Bitcoins or another widely used e-currency), if they want to regain access to their files and devices.

The term ransomware covers two main types of malware: so-called window blockers (which block the OS or browser with a pop-up window) and cryptors (which encrypt the user’s data). The term also encompasses select groups of Trojan-downloaders, namely those that tend to download encryption ransomware once a PC is infected.

Kaspersky Lab has a tradition of reporting on the evolution of ransomware – and you can find previous reports on the threat here and here.

This year, however, we came across a huge obstacle in continuing this tradition. We have found that ransomware is rapidly vanishing, and that cryptocurrency mining is starting to take its place.

The architecture of cryptocurrencies assumes that, in addition to purchasing cryptocurrency, a user can create a new currency unit (or coin) by harnessing the computational power of machines that have specialized ‘mining’ software installed on them.

Cryptocurrency mining is the process of creating these coins – it happens when various cryptocurrency transactions are verified and added to the digital blockchain ledger. The blockchain, in its turn, is a chain of successive blocks holding recorded transactions such as who has transferred bitcoins, how many, and to whom. All participants in the cryptocurrency network store the entire chain of blocks with details of all of the transactions that have ever been made, and participants continuously add new blocks to the end of the chain.

Those who add new blocks are called miners, and in the Bitcoin world, as a reward for each new block, its creator currently receives 12.5 Bitcoins. That’s approximately $30,000 according to the exchange rate on July 1, 2017. You can find out more about the mining process here.

Given the above, this report will examine what is hopefully ransomware’s last breath, in detail, along with the rise of mining. The report covers the period April 2017 to March 2018, and compares it with April 2016 – March 2017.

Main findings
The total number of users who encountered ransomware fell by almost 30%, from 2,581,026 in 2016-2017 to 1,811,937 in 2017-2018;
The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware fell by around 1 percentage point, from 3.88% in 2016-2017 to 2.80% in 2017-2018;
Among those who encountered ransomware, the proportion who encountered cryptors fell by around 3 percentage points, from 44.6% in 2016-2017 to 41.5% in 2017-2018;
The number of users attacked with cryptors almost halved, from 1,152,299 in 2016-2017 to 751,606 in 2017-2018;
The number of users attacked with mobile ransomware fell by 22.5% from 130,232 in 2016-2017 to 100,868 in 2017-2018;
The total number of users who encountered miners rose by almost 44.5% from 1,899,236 in 2016-2017 to 2,735,611 in 2017-2018;
The share of miners detected, from the overall number of threats detected, also grew from almost 3% in 2016-2017 to over 4% in 2017-2018;
The share of miners detected, from overall risk tool detections, is also on the rise – from over 5% in 2016-2017 to almost 8% in 2017-2018;
The total number of users who encountered mobile miners also increased – but at a steadier pace, growing by 9.5% from 4,505 in 2016-2017 to 4,931 in 2017-2018.


Free Thanatos Ransomware Decryptor Released
28.6.2018 securityweek
Ransomware

Cisco’s Talos team this week announced the availability of a free decryption tool to help victims of the Thanatos ransomware recover their files without paying the ransom.

Analysis of the threat has revealed a large number of Thanatos iterations being used by attackers, which led Talos to the conclusion that the malware is being actively developed. Unlike other ransomware families, which use Bitcoin, Thanatos asks victims to pay the ransom in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.

Cisco’s Talos researchers also discovered a series of issues with the malware’s encryption process, which prevents the attacker from successfully returning the data to the victim, even if the ransom was paid. “In some cases, this is intentional on the part of the distributor,” Talos reports.

Differences between the various versions of the malware are mainly observed in the ransom note, which was initially primitive, saved on the desktop as README.txt. It would only inform the victim that their files had been encrypted and demanded a payment be made to a specific Bitcoin address, the same for all victims. Apparently, payment processing was made manually and was email-based.

The next version already added support for more crypto-currencies the victims could pay the ransom with. In addition to offering support for BTC, ETH, and BCH, that malware variant also included a unique MachineID in the ransom note, and instructed victims to send it to the attacker (via email).

The investigation into the various Thanatos ransomware iterations also revealed that, at least in one particular case, the attacker “had no intention of providing any sort of data decryption to the victim,” the security researchers say. The malware was being distributed as attachments to chat messages sent via Discord.

The ransom note delivered to victims as part of that attack would inform them that decryption was not available, which clearly suggested the actor was not financially motivated, but rather interested in destroying data on the victim's system.

Once executed on the victim system, the malware copies itself into a subdirectory within %APPDATA%/Roaming. It also scans the following directories to identify files to encrypt: Desktop, Documents, Downloads, Favourites, Music, OneDrive, Pictures, and Videos.

The ransomware can encrypt all files in the target directories, and the security researchers observed it discarding the encryption key after encrypting users’ files (which now have the .THANATOS extension). Because of that, the attackers can’t provide access to the decrypted data, even if a ransom demand is paid.

The encryption keys used to encrypt files on victims' systems are derived from the number of milliseconds since the system last booted. Because these keys are 32 bits and can store up to 49.7 days' worth of milliseconds, which is much higher than the average amount of uptime on many systems, “this makes brute-forcing the key values significantly cheaper from a time perspective,” Talos says.

Furthermore, because the system uptime is written to the Windows Event Log roughly once per day, “the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection,” the researchers note. Thus, successfully recovering the encryption key would take roughly 14 minutes.

Talos’ newly released decryption utility works with versions 1 and 1.1 of the Thanatos ransomware and on all currently known Thanatos samples the security firm has observed. Victims are advised to execute the decryptor “on the original machine that was infected and against the original encrypted files that the malware created.”

At the moment, the utility can only decrypt .gif, .tif, .tiff, .jpg, .jpeg, .png, .mpg, .mpeg, .mp4, .avi, .wav, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf,.zip, .7z, .vmdk, .psd, and .lnk file types. To decrypt files, users need to download ThanatosDecryptor and execute the .exe file in the release directory.


Talos releases ThanatosDecryptor, a free Thanatos Ransomware decryptor
28.6.2018 securityaffairs
Ransomware

Experts from Cisco’s Talos team released a free decryption tool for the Thanatos ransomware to recover the files without paying the ransom.
The Thanatos ransomware first appeared in the threat landscape in February when it was discovered by researchers at the MalwareHunterTeam.

The experts from Talos believe the malware is being actively developed, it was being distributed as attachments to chat messages sent via Discord.

When the malware encrypts files it appends the .THANATOS extension to them. Once the encryption is completed, the malware connects to a specific URL to report the infection.

The Thanatos ransomware is the first ransomware to accept Bitcoin Cash payments, along with Bitcoin and Ethereum.

At the time of its discovery, experts from Talos discovered a series of issues with the encryption process that makes it impossible for attackers to successfully returning the data to the victim.

The experts observed several variants of the malware, the first ones were using the same Bitcoin address for all the victims and the payment processing was manual after the victims were instructed to send an email to the crooks.

Thanatos ransomware

The next version implemented the support for more crypto-currencies for the payment processing and included a unique MachineID in the ransom note to distinguish each infection. Victims were instructed to send the MachineID to the attacker via email.

The experts discovered at least one sample that they discovered was informing victims that the decryption was not available, likely because the malware was part of a sabotage.

Once executed on the victim’s machine, the malicious code copies itself into a subdirectory within %APPDATA%/Roaming, then it scans the system for files to encrypt searching them in the Desktop, Documents, Downloads, Favourites, Music, OneDrive, Pictures, and Videos folders.

The encryption keys are derived from the number of milliseconds since the system last booted, but experts noticed that the keys are 32 bits and can store up to 49.7 days’ worth of milliseconds.

The researchers pointed out that 49.7 days is much higher than the average amount of uptime on many systems, this makes brute-force attack easier.

“This value is a 32-bit number, meaning that the encryption key is effectively 32 bits as well. Additionally, the maximum number of milliseconds that can be stored in a 32-bit value is roughly 49.7 days’ worth, which is higher than the average amount of uptime on many systems due to patch installation, system reboots, and other factors.” states the analysis published by Cisco Talos. “This makes brute-forcing the key values significantly cheaper from a time perspective.”

“Another optimization can be made based on the fact that the system uptime is written to the Windows Event Log roughly once per day. Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.”

Summarizing, the process of recovering the encryption key would take roughly 14 minutes.

The tool released by Talos only works with versions 1 and 1.1 of the Thanatos ransomware and on all current samples of the ransomware analyzed by the experts.

“Note: In order to decrypt files as quickly as possible, ThanatosDecryptor should be executed on the original machine that was infected and against the original encrypted files that the malware created.” concludes Talos.

The ThanatosDecryptor could be downloaded here.


WannaSpam – Beware messages from WannaCry-Hack-Team, it is the last hoax
25.6.2018 securityaffairs
Spam  Ransomware

WannaSpam – Many users have received a mysterious message that claims their PC was infected by WannaCry Ransomware. Crooks ask victims to pay a ransom, but it’s a scam.
Many users have received a mysterious message from a group that called itself the “WannaCry-Hack-Team” that claims that WannaCry Ransomware has returned.

The mail informs the recipients that their computer has been infected and ask them the payment of a ransom to avoid their files being deleted.

WannaSpam

This is a classic spam campaign that leverages the infamous notoriety of the WannaCry ransomware, for this reason, experts tracked it as WannaSpam.

The recipient’s computer is not infected so they only need to ignore the message and delete it.

On Reddit users reported to have received WannaSpam messages, the emails use different subjects to trick victims into pay the ransom.

Some of the subjects used are “!!!Attantion WannaCry!!!”, !!!WannaCry-Team Attantion!!!”, “Attantion WannaCry”, “WannaCry Attantion!”, or “WannaCry-Team Attantion!!!”.

Experts noticed a typo error in the word “Attention” that is reported in the email messages as “Attantion”.

The spammers ask victims the payment of a .1 bitcoin ransom, once the victims have made the payment will be instructed to send an email to support_wc@bitmessage.ch.
In case the recipients will not pay the ransom, the data will be deleted in 24 hours.

The expert Lawrence Abrams from BleepingComputer that reported the news also published a number of bitcoin addresses used by crooks behind WannaSpam campaign.

Below some of the bitcoin address used by crooks:

1Mvz5SVStiE6M7pdvUk9fstDn1vp4fpCEg
16Tq8gaad5FJ3c6mrC86e1pmqQ666dYSvv
13AEiPcnqHRRwbJRUsPLbcgX3roTTPGSMu
15TxgGK5AMvdeupbcKbk3g36zctnS9ThnU
1FXZ9yoagBMnnrkZscQzKnC2hkgX5uDgUR
The good news is that at the time of writing there are users that were deceived by the WannaSpam, anyway, it is very important to spread the news of this new malicious initiative.

Below an example of WannaSpam message:

From: WannaCry-Hack-team [redacted]
Sent: 21 June 2018 10:36
To: [REDACTED]
Subject: WannaCry Attantion!

Hello! WannaCry returned! All your devices were cracked with our program installed on them. We have made improvements for operation of our program, so you will not be able to regain the data after the attack.

All the information will be encrypted and then erased. Antivirus software will not be able to detect our program, while firewalls will be impotent against our one-of-a-kind code.

Should your files be encrypted, you will lose them forever.

Our program also outspreads through the local network, erasing data on all computers connected to the network and remote servers, all cloud-stored data, and freezing website operation. We have already deployed our program on your devices.

Deletion of your data will take place on June 22, 2018, at 5:00 - 10:00 PM. All data stored on your computers, servers, and mobile devices will be destroyed. Devices working on any version of Windows, iOS, macOS, Android, and Linux are subject to data erasion.

In order to ensure against data demolition, you can pay 0.1 BTC (~$650) to the bitcoin wallet:1Mvz5SVStiE6M7pdvUk9fstDn1vp4fpCEg

You must pay in due time and notify us about the payment via email until 5:00 PM on June 22, 2018. After payment confirmation, we will send you instructions on how to avoid data erasion and such situations in future. In case you try to delete our program yourself, data erasion will commence immediately.

To pay with bitcoins, please use localbitcoins.com or other similar services, or just google for other means. After payment write to us: [support_wc@bitmessage.ch](mailto:support_wc@bitmessage.ch)
If you receive a WannaSpam email delete it!


Experts released a free decryptor for Everbe Ransomware
15.6.2018 securityaffairs
Ransomware   

Researchers have released a decryptor tool that could be used by victims of the Everbe Ransomware to decrypt their files for free.
Good news for the victims of the Everbe Ransomware, the popular malware researchers Michael Gillespie and Maxime Meignan have released a decryptor that could be used by victims to decrypt their files for free.

The Everbe Ransomware encrypts files and appends the .[everbe@airmail.cc].everbe, .embrace, or .pain extensions appended to the encrypted file’s name.

In order to decrypt the files, victims need to have an unencrypted version of an encrypted file, then they can use them to brute force the decryption key.

When the malware infects a machine, it drops a ransom note in each folder containing encrypted files. The note titled !=How_recovery_files=!.txt contains the instructions to start payment process, the victims must send an email everbe@airmail.cc for payment instructions.
Everbe Ransomware
Source Bleeping Computer

Now victims can use the InsaneCrypt Decryptor to restore their files, they have to select the menù item “Settings” and choose “Bruteforcer”.

In order to decrypt the files, it is necessary to provide the tool both encrypted and unencrypted versions of the files.

Everbe Ransomware
Source Bleeping Computer

Once the process is completed, the decryptor will have found the decryption key that the tool uses to restore files.

When the decryption process has finished, the decryptor will display a summary of the total amount of files that have been decrypted.

“Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.” explained Lawrence Abrams from BleepingComputer.com.


Atlanta Says Further $9.5 Million Needed for Ransomware Recovery
8.6.2018 securityweek
Ransomware

Atlanta Ransomware Attack Was Far More Serious Than Originally Thought and Even Wiped Out the Police Dash-cam Recordings Archive

The City of Atlanta was struck by SamSam ransomware in March 2018. The ransom was set at $51,000 (in Bitcoin); but is believed not to have been paid. At that time, it was thought that some customer-facing applications and some internal services had been disrupted; but that no critical services had been affected.

One month later, it was reported that the cost of recovery from the attack had already reached nearly $3 million, and the city had not yet fully recovered.

Exactly what happened at Atlanta will not be known -- if it ever is -- until the work of the forensic investigators is complete. It is known, however, that the SamSam actors typically target their victims, gain access to the infrastructure, and interfere with processes before encrypting files. Hancock Health was hit by SamSam in January 2018. It paid the ransom, but a few days later, CEO Steve Long reported, "Though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers."

On Wednesday this week, Atlanta information management head Daphne Rackley told the City Council that the Atlanta ransomware attack was far more serious than originally thought. More than one-third of the 424 software programs used by the city remain off-line or at least partially disabled -- and almost 30% of those are considered 'critical'.

City attorney Nina Hickson, for example, said her office had lost more than 70 of its 77 computers and ten years of legal documents. Police Chief Erika Shields told local television news station WSB-TV 2 that the hack irretrievably wiped out the police dash-cam recordings archive.

The Atlanta City Council is preparing to vote on the fiscal budget 2019, and must do so by the end of the month. It has now been told by Rackley that her department is likely to require an additional $9.5 million over the coming year because of the ransomware.

The Atlanta incident is a wake-up call that highlights the ransom quandary. Paying the ransom feeds the criminal activity, puts a target on the victim's back for other criminals, and does not guarantee receipt of decryption keys. Not paying, however, will inevitably lead to recovery costs that could, for the unprepared, be extreme.

Atlanta seems to have been particularly unprepared. "I think that the true problem is not ransomware," comments Ilia Kolochenko, CEO of High-Tech Bridge. "The problem is unreliable, overcomplicated and insecure-by-design IT architecture. Segregation of duties, data and network access control, proper segmentation, daily backup, desktop hardening, anomaly detection -- are, de facto, a must-have in any modern company or governmental entity. Apparently, none were in place."

Effective disaster recovery and back-up systems can be particularly effective against extortion attacks. "Being able to easily and quickly recover data, like the dash-cam footage, from mere seconds before it was lost or disrupted can save an organization time, money and many other types of damage," says Gijsbert Janssen Van Doorn, technology evangelist at Zerto.

The Barnstable Police Department is a case in point. The small town Police Department on Massachusetts' Cape Cod was hit by ransomware in 2016 -- but an effective disaster recovery system meant the ransomware was mitigated and eradicated with a maximum downtime of less than 40 minutes, and no more than 2 minutes of lost data.

"Atlanta is now just another case study on what best practices need to be in place to protect an organization's CyberPosture," comments Mukul Kumar, CISO and VP of cyber practice at Cavirin. "They're already talking about direct costs in the tens of millions, but the indirect costs and other impacts are potentially much greater." The cost of prevention is inevitably less than the cost of cure.

Atlanta also demonstrates a dangerous escalation. A city is not merely an organization, it is part of the critical infrastructure. "The reality is that these are more lucrative targets than credit cards and people's identities when you look at it from an attacker perspective," warns Rishi Bhargava, co-founder at Demisto. "Attacks on cities, and our infrastructure, are like terrorist attacks and cities and governments will be willing to pay." He believes they must not.

The terrorist analogy is not lost on Kolochenko. This attack, he suggests, was "likely driven by a trivial itch for gain, but what would the outcome be if the attackers were a nation-state group? They can cause tremendous damage to the city, its infrastructure and citizens. I think the IT companies responsible for maintenance of the Atlanta critical IT infrastructure can be liable for negligence. Someone should be accountable for this."


'RedEye' Ransomware Destroys Files, Rewrites MBR
7.6.2018 securityweek
Ransomware

A newly discovered piece of ransomware appears mainly created to destroy the victim’s files instead of encrypting and holding them for ransom.

Dubbed RedEye, the malware appears to be the creation of the developer behind the Annabelle ransomware, who also claims to have made the JigSaw ransomware that first emerged a couple of years back (Cisco says the individual might be responsible for several other families as well).

The same as Anabelle and JigSaw, RedEye’s destructive nature makes it stand out in the crowd. While the vast majority of ransomware families out there have been created with the purpose of generating revenue for their authors and operators, RedEye would gladly destroy users’ files even if there’s no financial gain in it.

The new threat, Bart Blaze discovered, has a large file size, at 35.0 MB. This is the result of several media files (images and audio files) being embedded in the binary. Among these, there are three .wav files (child.wav, redeye.wav, and suicide.wav) meant to play a creepy sound, intended to scare the victim.

The malware author also used ConfuserEx and compression, along with a few other tricks, to protect the binary. A second binary was also embedded in the file, capable of replacing the MBR (Master Boot Record).

Once it has infected a computer, the ransomware performs a series of actions to make removal a difficult process. The threat disables task manager and also hides the victim machine’s drives.

RedEye then displays a ransom note informing victims that their files have been encrypted using AES256 and that they should access an .onion website and pay 0.1 Bitcoins to a specified address. This would supposedly result in a decryption key being delivered to them.

The victim is required to pay the ransom in 4 days, and the malware claims to be able to “fully destroy” the computer after that period of time is over.

Options available in the ransomware include the possibility to view encrypted files and decrypt them, get support, and “destroy PC.”

If the last option is selected, a GIF is displayed in the background, with an option to proceed with the operation (a "Do it" button) and another to close the image. If “Do it” is selected, the same as when the 4-day window is over, the malware reboots the machine and replaces the MBR.

Thus, when the victim powers on the system, they are greeted with a message informing them that “RedEye terminated their computer.” The malware author signed the message with the “iCoreX” handle.

Blaze also notes that, despite claiming to have securely encrypted files with AES256, RedEye appears to actually “overwrite or fill files with 0 bytes,” thus rendering them useless. The malware also appends the .RedEye extension to the affected files.

“While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware. As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill,” Blaze concludes.


The author of the Sigrun Ransomware decrypts Russian victims’ files for free
6.6.2018 securityaffairs
Ransomware

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, others have to pay a ransom of $2,500 worth of Bitcoin or Dash for the victims.
We have reported several cases where Russian malware authors avoid infecting computers in their country, but the case we are going to discuss is interesting too.

The author of the Sigrun Ransomware is providing the decryption key to Russian victims for free, while the malware demands the payment of a ransom of $2,500 worth of Bitcoin or Dash for the victims.

The case was first spotted by the malware researcher Alex Svirid, and other experts confirmed his discovery.

Alex Svirid
@thyrex2002
31 May
Sigrun Ransomware author free decrypt files for users from some countries former USSR (with Russian primary language)

S!Ri
@siri_urz
Yup, many are doing that. Guess who is Russian and who is American? pic.twitter.com/1pS6NhPtXN

3:36 PM - May 31, 2018

See S!Ri's other Tweets
Twitter Ads info and privacy
The Sigrun ransomware also avoids infecting Russian victims by detecting the keyboard layout, this behavior allows Russian vxers to avoid the response of local authorities.

When Sigrun ransomware is executed, it will first check “HKEY_CURRENT_USER\Keyboard Layout\Preload” to determine if it is set to the Russian layout. If the machine is using a Russian layout, it will not encrypt its files and delete itself.

Experts pointed out that the ransomware also infects users in the former USSR Republics because many of them don’t use the Russian keyboard layout for political reason. For this reason, the authors of the Sigrun ransomware decided to provide for free the decryption key to Russian victims.

“Ukranian users don’t use russian layout because of political reasons. So we decided to help them if they was infected,” the Sigrun author told BleepingComputer via email.

“We have already added avoiding Ukrainian layout like was in Sage ransomware before.” They also told us that the email images above are not from Sigrun but another ransomware.

Lawrence Abrams from BleepingComputer has spoken with the author of the malware that told him that he isn’t from former USSR republics.

“Finally, the Sigrun developer told us that they are “not from former USSR republics. I added it because of my Belarus partners.” added Abrams.

When Sigrun ransomware is executed on a computer, it will scan a computer for files to encrypt, when it encrypts a file it will append the .sigrun extension to the encrypted file’s name. The malware creates two ransom notes named RESTORE-SIGRUN.txt and RESTORE-SIGRUN.html in each folder containing encrypted files.

Experts noticed that it doesn’t encrypt files that match certain extensions, filenames, or that are located in particular folders.

The ransom notes include information on the infection and payment instructions.
“At this time, the Sigrun Ransomware cannot be decrypted for free unless you are a Russian victim and the author helps you,” concluded Lawrence.

Further technical details, including IoCs, are reported in the analysis shared by BleepingComputer.


Wannacry outbreak anniversary: the EternalBlue exploit even more popular now
13.5.2018 securityaffairs
Ransomware  Exploit

WannaCry ransomware outbreak anniversary – According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.
Exactly one year ago, on May 12, the WannaCry ransomware infected hundreds of thousands of computers worldwide.

The success of the malware was the use of the EternalBlue exploit that was stolen by Shadow Brokers from the arsenal of the US National Security Agency along with a large cache of tools and exploits.

The group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.

Some of the codenames for the hacking tools in the dump are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.

The tools work against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

In March 2017, a month before EternalBlue was released by Shadow Brokers, Microsoft released the MS17-010 security bulletin containing patches for SMB exploits including EternalBlue.

Just after the leakage online of ETERNALBLUE, security experts started observing a significant increase in the number of malware and hacking tools leveraging the NSA exploit to implement a self-spreading mechanism. Investigations on WannaCry revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit.

A few weeks prior to the Wannacry ransomware outbreak, EternalBlue was used by the Adylkuzz botnet for mining activities and by the UIWIX ransomware family.

EternalBlue targets a vulnerability in Windows’ Server Message Block (SMB) on port 445, it only works against older operating system versions, mainly Windows XP and Windows 7.

EternalBlue was later used by other malware, including NotPetya and Bad Rabbit.

According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.

“And as ESET’s telemetry data shows, its popularity has been growing over the past few months and a recent spike even surpassed the greatest peaks from 2017.” reads the analysis published by ESET.

“EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily. Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.”

EternalBlue 2017-May2018-2

Experts noticed a significant increase in the use of EternalBlue since September 2017 and reached a peak in mid-April 2018, experts believe that a Satan ransomware campaign observed in April contributed to the rapid spike.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” continues ESET.

To mitigate the threat, disable SMBv1 and do not expose to the internet SMBv2, unfortunately currently millions of devices with SMBv1 are still exposed online most of them in the UAE, US, Russia, Taiwan, and Japan.

☠️ Nate Warfield 💀
@dk_effect
Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows 🤦‍♂️🤦‍♂️

4:49 PM - May 11, 2018
23
See ☠️ Nate Warfield 💀's other Tweets


First-Ever Ransomware Found Using ‘Process Doppelgänging’ Attack to Evade Detection
11.5.2018 thehackernews
Ransomware

Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could help malware evade detection.
The Process Doppelgänging attack takes advantage of a built-in Windows function, i.e., NTFS Transactions, and an outdated implementation of Windows process loader, and works on all modern versions of Microsoft Windows OS, including Windows 10.
Process Doppelgänging attack works by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process, tricking process monitoring tools and antivirus into believing that the legitimate process is running.
If you want to know more about how Process Doppelgänging attack works in detail, you should read this article I published late last year.
Shortly after the Process Doppelgänging attack details went public, several threat actors were found abusing it in an attempt to bypass modern security solutions.
Security researchers at Kaspersky Lab have now found the first ransomware, a new variant of SynAck, employing this technique to evade its malicious actions and targeting users in the United States, Kuwait, Germany, and Iran.

Initially discovered in September 2017, the SynAck ransomware uses complex obfuscation techniques to prevent reverse engineering, but researchers managed to unpack it and shared their analysis in a blog post.
An interesting thing about SynAck is that this ransomware does not infect people from specific countries, including Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan.
To identify the country of a specific user, the SynAck ransomware matches keyboard layouts installed on the user's PC against a hardcoded list stored in the malware. If a match is found, the ransomware sleeps for 30 seconds and then calls ExitProcess to prevent encryption of files.
SynAck ransomware also prevents automatic sandbox analysis by checking the directory from where it executes. If it found an attempt to launch the malicious executable from an 'incorrect' directory, SynAck won't proceed further and will instead terminate itself.
Once infected, just like any other ransomware, SynAck encrypts the content of each infected file with the AES-256-ECB algorithm and provides victims a decryption key until they contact the attackers and fulfill their demands.

SynAck is also capable of displaying a ransomware note to the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. The ransomware even clears the event logs stored by the system to avoid forensic analysis of an infected machine.
Although the researchers did not say how SynAck lands on the PC, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
Therefore, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source in an attempt to safeguard against such ransomware infection.
Although, in this case, only a few security and antivirus software can defend or alert you against the threat, it is always a good practice to have an effective antivirus security suite on your system and keep it up-to-date.
Last but not the least: to have a tight grip on your valuable data, always have a backup routine in place that makes copies of all your important files to an external storage device that isn't always connected to your PC.