Tag Archives: Bleeping Computer

Ransomware: PUBG, RensenWare, Quant, Wannacry

Updates to Specific Ransomware Families and Types

Advertisements

Resources updates, 26 March 2018

Updates to Anti-Social Media

Updates to Specific Ransomware Families and Types

Updates to Cryptocurrency/Crypto-mining News and Resources

David Harley

Resource updates 21st March 2018

Additions to the new Anti-Social Media page:

Additions to Meltdown/Spectre – Related Resources

Decryption for Polsk, Vortex, Flotera

Catalin Cimpanu for Bleeping Computer: Author of Polski, Vortex, and Flotera Ransomware Families Arrested in Poland.

“Authorities were able to recover data from the suspect’s laptop and remote servers, including encryption keys. Polish police are now encouraging victims of the Polski, Vortex, and Flotera ransomware families to file official complaints with local authorities so they can receive a decryption key for their files.”

Added to the Specific Ransomware Families and Types page.

David Harley

Meltdown/Spectre PoC samples

Catalin Cimpanu for Bleeping Computer: We May Soon See Malware Leveraging the Meltdown and Spectre Vulnerabilities

“All evidence suggests most of these detections are security researchers playing with the PoC code, but experts won’t rule out that some samples are from malware authors looking for ways to weaponize the PoC code for malicious actions.”

Fortinet says:

“FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code.  The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.”

AV-Test’s list of hashes

Helpnet Security commentary

David Harley

Ransomware updates

(1) Raj Samani, Chief Scientist at McAfee, describes an attempt to explore the motivations that drive ransomware gangs. Why ransomware? Let’s ask the bad guys 

Perhaps the most useful and interesting fact to emerge from these exchanges is that ‘1 in 3 of the email addresses were fake/non-existent [implying] that almost one third of ransomware could potentially be pseudo since the promised ‘helpdesk’ does not even exist.’

(2) Bleeping Computer reports the arrest of five Romanian distributors of spam associated with the CTB-Locker and Cerber ransomware families: Five Romanians Arrested for Spreading CTB-Locker and Cerber Ransomware

David Harley

Tech Support Scams: leveraging Spotify for Google and Bing SEO

Lawrence Abrams for Bleeping Computer: Tech Support Scammers Invade Spotify Forums to Rank in Search Engines

Extract: “Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.”

David Harley

SyncCrypt: Getting the Ransomware Picture?

Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.

The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’

VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.

There’s no free decryption for affected data at this time.

IOCs, filenames etc. are appended to the Bleeping Computer analysis.

David Harley

 

Reyptson Ransomware

Lawrence Abrams for Bleeping Computer: Reyptson Ransomware Spams Your Friends by Stealing Thunderbird Contacts. He says:

‘…unfortunately there is no way to decrypt this ransomware currently for free. We have, though, setup a dedicated Reyptson Support & Help Topic for those who wish to discuss it or ask questions.’

Announcement by EMSIsoft’s @PolarToffee.

Notes from @malwrhunterteam

David Harley

Lockdroid’s text-to-speech unlocking

Catalin Cimpanu, for Bleeping Computer, details Lockdroid’s novel use of TTS functions as part of the post-payment unlocking process: Android Ransomware Asks Victims to Speak Unlock Code. Based on a report from Symantec that I haven’t seen yet.

Lockdroid’s current campaigns appear to be focused on China, but that doesn’t mean its innovations won’t be seen elsewhere. Symantec’s Dinesh Venkatesan noted implementation bugs and that it might be possible for a victim to recover the unlock code from the phone.

David Harley