Tag Archives: Ransomware as a Service

DetoxCrypto ransomware

Lawrence Abrams for Bleeping Computer: New DetoxCrypto Ransomware pretends to be PokemonGo or uploads a Picture of your Screen

Commentary by David Bisson for Graham Cluley’s blog: DetoxCrypto ransomware-as-a-service rears its ugly head

Info added to resources pages.

David Harley

Cerber Ransomware: a Word in your Ear

Lawrence Abrams, for Bleeping Computer, reports that The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You. Files are AES encrypted, a ransom starting at 1.24 Bitcoins is demanded, and there is currently no way of restoring encrypted files (except from backup of course) for free. And this ransomware, apparently offered as a service on a ‘closed underground Russian forum’, clearly wants to make it very clear that it’s struck: not only does it litter a victimized PC with ransom notes, but it also creates a VBS script that generates an audio message telling the victim that “Your documents, photos, databases and other important files have been encrypted!”

Other commentary by Shell Spawner$ and by David Bisson for Graham Cluley’s blog: Cerber ransomware speaks to you: ‘Your files are encrypted’ – If your files have a .CERBER extension, you don’t need malware to tell you you’ve got a problem

Information added to the Ransomware Resources page.

David Harley


Radamant Author is Adamant?

It’s not unusual for malware authors to insert little messages to the security industry into their code. Sometimes there’s an element of almost-friendly banter,  a bit like a naughty child sticking its tongue out, like the sometimes ambivalent relationship between virus writers and antivirus researchers on alt.comp.virus and other newsgroups. I don’t visit those groups any more, but towards the end of the period when I did visit, most of the traffic seemed to be submerged in a flood of abuse and vituperation (not to mention bits of malware), which is one of the reasons I stopped visiting.

Still, those who have the delightful job of disassembling malware still often find little messages from their authors. Usually they seem to be at the abusive end of the spectrum, aimed at companies and researchers who’ve been inconveniently efficient at detecting earlier versions of the malware.

Such seems to be the case with the author of the Radamant ransomware kit, as reported by David Bisson for Tripwire – Ransomware Author Insults Creator of Decryption Tool in Malware’s Embedded Strings – concerning how EmsiSoft’s Fabian Wosar, having published a tool for decrypting files compromised by Radamant, was ‘complimented’ by the inclusion of strings such as .rdata:0040C030 00000021 C ThxForHlpFabianWosarANDbleepYOU!! in a subsequent version. 

Happily, Wosar has managed to survive the trauma. He commented:

I am not really sure how things work in your circles, but in my circles getting insulted by malware authors is considered the highest kind of accolade someone can get, so thank you very much for that.

And came up with a revised decryption tool within two days.

The purveyor of the Radamant ‘Ransomware as a Service’ tool is apparent working on another version.

David Bisson published a more general article on ransomware and how to deal with it back in January 2015. I’ll be adding that to the resources page at the same time as I add a pointer to this article.

David Harley