Tag Archives: Talos

Ranscam: paying up won’t get your files back

Whenever I think that the various criminals behind ransomware can’t sink any lower, someone comes along and proves me wrong.

Edmund Brumaghin and Warren Mercer in a post for Talos describe a particularly vicious example of ransomware they call Ranscam, which doesn’t bother to encrypt files. It claims that the files have been moved to a ‘hidden, encrypted partition’ , but in fact the malware simply deletes them, makes it difficult as possible to recover them, and then puts up a ransom demand. In fact, the criminals have no way of recovering the victim’s files: they just take the money, given the opportunity. As the authors put it:

Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.

The Talos blog: When Paying Out Doesn’t Pay Off.

Commentary by John Leyden for The Register: Nukeware: New malware deletes files and zaps system settings – When you’ve paid up, but there’s nothing to unlock.

David Harley



JBoss Backdoors

Alexander Chiu for Talos looks hard at the JBoss vulnerability: WIDESPREAD JBOSS BACKDOORS A MAJOR THREAT.

Chui observes:

We found just over 2,100 backdoors installed across nearly 1600 ip addresses.

He notes that several compromised systems have the Follett “Destiny” Library Management System software installed, and includes Indicators of Compromise and Snort rules.

US-CERT has issued an advisory.

David Harley

I do not like that SamSam-I-am ransomware

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

David Harley

Tech Support Scam Updates

The following links have been added to the tech support scam resources page:

“Since May 2014, Microsoft has received over 175,000 customer complaints regarding fraudulent tech support scams. This year alone, an estimated 3.3 million people in the United States will pay more than $1.5 billion to scammers.”


David Harley