ransomware | Page 10


It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs. Most recently, Nemucod has been known to download TeslaCrypt ransomware variants. However, the last few weeks saw a shift in Nemucod variants--it now has a code to drop ransomware from its body. The sample arrives via a typical Nemucod spam with encrypted JavaScript attachment.  Upon decrypting the JavaScript, we... [Read More]
by RSS Roland Dela Paz  |  Mar 16, 2016  |  Filed in: Security Research
“Houston, we have a problem.” This is not news to healthcare organizations, whether they are in Houston, Boston, St. Louis or San Francisco. 2015 was a banner year in healthcare, for all the wrong reasons. The increasing number of attacks on healthcare systems exposed security shortcomings: many unsecured attack vectors, compromised sensitive data and the possibility of catastrophic consequences. 2016 will bring more of the same. Healthcare organizations must speed up their security efforts to avoid putting their patients, and themselves,... [Read More]
by RSS Ryan Witt  |  Mar 10, 2016  |  Filed in: Industry Trends
It’s been over two weeks since we reported about Locky and predicted that it will be a major player in the ransomware scene. We decided to check our Intrusion Prevention System (IPS) telemetry statistics for CryptoWall, TeslaCrypt and Locky two weeks after (Feb 17th to March 2nd) to see how Locky is doing and where it sits compared to its more seasoned counterparts. While the statistics cover a short timeframe, it does give some insights not only on Locky’s early operations but also on how these three major ransomware families are... [Read More]
by RSS Roland Dela Paz  |  Mar 08, 2016  |  Filed in: Security Research
A new ransomware named “Locky” is currently circulating in the wild and making the headlines. There are some good reports regarding Locky ransomware already available over the Internet. This blog intends to focus on some technical areas that (we believe) have not been covered yet, namely, its domain generation algorithm, command and control communication, and file encryption. For reference, the following is a screenshot of Locky’s Decrypter page (cropped to save space): Based on Harry71’s Onion Spider, the Locky... [Read More]
by RSS Floser Bacurio, Rommel Joven and Roland Dela Paz  |  Feb 17, 2016  |  Filed in: Security Research
Valentine’s day is just around the corner and it would not be fair to let the occasion pass us by without reflecting on the colorful, charming, amorous, sometimes exotic world of malware. In this blog we explore some of the milestone threats that have courted many a user over the years, proving only that there are, in fact, other (meaner) fish in the sea. 1971: The Creeper Virus In 1949, the visionary mathematician John von Neumann conceived the idea of self-replicating automata, even before the existence of the modern computer. Little... [Read More]
by RSS Michael Perna  |  Feb 12, 2016  |  Filed in: Industry Trends
Earlier this month, a new ransomware-as-a-service (RaaS) from a group called “FAKBEN Team” emerged. In this post, we will talk about our findings on the ransomare binary that they sell on their website. Our analysis indicates that the encryption routine used by FAKBEN Team was grabbed from the open source Hidden Tear ransomware. The representative sample that we used has the MD5 c952a88edc0766adf819b30cd2683ac7. The malware was developed and compiled using Microsoft Visual C# .NET. Persistence The malware creates an autorun... [Read More]
by RSS Roland Dela Paz  |  Nov 25, 2015  |  Filed in: Security Research
Previously, we talked about a new ransomware-as-a-service called Encryptor RaaS. Encryptor RaaS is a GNU Compiler for Java (GCJ) compiled ransomware that is available to anyone who wishes to be a spreading affiliate. The author then takes 20% commission for each ransom paid by an infected victim. While monitoring, we noticed some updates on its website. In particular, the new version of the ransomware dated November 13, 2015, caught our attention so we decided to take a look. Currently, the website looks as follows: Figure 1. Updated... [Read More]
by RSS Roland Dela Paz  |  Nov 17, 2015  |  Filed in: Security Research
Not long ago, ransomware was a problem for consumers. Early versions hit unsuspecting users as early as 2005 but, while alarming, weren’t especially difficult to defeat. Even 10 years ago, the enterprise was a very different place than it is today, with BYOD in its infancy and far greater separation between work and personal environments. Ransomware authors also had not really begun to leverage the social engineering tactics that made infection much more likely, even for relatively savvy users.   Fast-forward to 2015 and attackers... [Read More]
by RSS Chris Dawson  |  Oct 29, 2015  |  Filed in: Industry Trends
CryptoWall and its variants are among the best-known types of ransomware, malware that encrypts files on end user hard drives and then prompts for payment of a ransom to decrypt the files. In many cases, if users don’t have recent backups, their only option to recover these files is to pay the ransom.    CryptoWall Version 3 (CW3) is the most recent major variant that uses sophisticated backend technical and financial infrastructure to extort payments from users, all while employing a variety of measures to slow detection and... [Read More]
by RSS Derek Manky  |  Oct 28, 2015  |  Filed in: Industry Trends
RIG Exploit Kit was upgraded to v3.0 a while back. While RIG EK was never as active as other exploit kits such as Angler or Nuclear, it is one of the more 'stable' EKs in terms of its near constant presence on the Internet. We will talk about a recent RIG EK sample. Here is the landing page information captured by our automated system in FortiGuard Labs. Type Exploit Kit Name RIG.Exploit.Kit Attack ID 52114 Referrer... [Read More]
by RSS Tim Lau  |  Sep 30, 2015  |  Filed in: Industry Trends