Tag Archives: VirusTotal

SyncCrypt: Getting the Ransomware Picture?

Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.

The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’

VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.

There’s no free decryption for affected data at this time.

IOCs, filenames etc. are appended to the Bleeping Computer analysis.

David Harley


PowerWare Ransomware

AlienVault: PowerWare “Fileless Infection” Deepens Ransomware Conundrum for Healthcare Providers

Michael Mimoso for Threat Post (Kaspersky): Fileless Powerware Ransomware Found On Healthcare Network

Carbon Black flexes its PR muscles and manages not to mention that ‘AV is Dead’ in its analysis: Threat Alert: “PowerWare,” New Ransomware Written in PowerShell, Targets Organizations via Microsoft Word. It does share Indicators of Compromise, but as a graphic rather than as text. However, the Word doc used to spread the malware is detected (according to VirusTotal) by 34 products at the time of writing: 69ee6349739643538dd7eb60e92368f209e12a366f00a7b80000ba02307c9bdf. The ransomware script is also widely detected: https://www.virustotal.com/en/file/02beca974ecc4f871d8d42462ef305ae595fb6906ad764e6e5b6effe5ff05f29/analysis/.

David Harley

SRI iBotnet analysis

I’m not a huge fan of SRI, mainly because of its misconceived and inept use of VirusTotal as a measure of a measure of anti-malware effectiveness. (Unfortunately, SRI is not the only organization to misuse what is actually a useful and well-designed service by Hispasec as a sort of poor man’s comparative testing, even though  Hispasec/VirusTotal themselves have been at pains to disassociate themselves from this inappropriate use of the facility: see http://blog.hispasec.com/virustotal/22.)

So it pains me slightly to report that they have actually produced a reasonable analysis of the botnet associated with the iPhone malware sometimes known as Ikee.B or Duh (sigh…) But they have, and it’s at http://mtc.sri.com/iPhone/.

I wish I could say that some of their other web content is of the same standard. Disclaimer: the company for which I currently work does indeed consistently appear at a very low position in SRI rankings, so you’d expect me to dislike the way they get their results. I do… But I dislike even more the way that they’ve ignored all my attempts to engage them on the topic. OK, rant over. The ikee analysis is still well worth a look.

Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at: