cryptolocker


Summary During the last weeks there have been several cases of international brand names being used by malware authors to propagate malware through phishing emails. These emails contain misleading links that download malicious Zip files, which, in turn, contain a JavaScript file that downloads the TorrentLocker ransomware. The malicious files have been detected as JS/Agent.2867!tr or JS/Nemucod.AFA!tr.dldr or JS/Nemucod.AFE!tr.dldr by the Fortinet Antivirus service. Since most of the available reports about this threat cover the encryption... [Read More]
by RSS Lilia Elena Gonzalez Medina  |  Jul 25, 2016  |  Filed in: Security Research
Lately, healthcare has been making headlines due to an onslaught of ransomware attacks from viruses like TeslaCrypt and CryptoWall. As a result of many lucrative successes in extorting ransom payments, the industry has been rightly named the number one target of cyber criminals by several research groups. And it doesn’t seem to be slowing down. Cyber criminals are looking to profit off of the traditionally soft target healthcare has presented due to its general lack of highly secure network and data center architectures. According to a malwarebytes... [Read More]
by RSS Ryan Edwards  |  May 27, 2016  |  Filed in: Industry Trends
It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs. Most recently, Nemucod has been known to download TeslaCrypt ransomware variants. However, the last few weeks saw a shift in Nemucod variants--it now has a code to drop ransomware from its body. The sample arrives via a typical Nemucod spam with encrypted JavaScript attachment.  Upon decrypting the JavaScript, we... [Read More]
by RSS Roland Dela Paz  |  Mar 16, 2016  |  Filed in: Security Research
A new ransomware named “Locky” is currently circulating in the wild and making the headlines. There are some good reports regarding Locky ransomware already available over the Internet. This blog intends to focus on some technical areas that (we believe) have not been covered yet, namely, its domain generation algorithm, command and control communication, and file encryption. For reference, the following is a screenshot of Locky’s Decrypter page (cropped to save space): Based on Harry71’s Onion Spider, the Locky... [Read More]
by RSS Floser Bacurio, Rommel Joven and Roland Dela Paz  |  Feb 17, 2016  |  Filed in: Security Research
Earlier this month, a new ransomware-as-a-service (RaaS) from a group called “FAKBEN Team” emerged. In this post, we will talk about our findings on the ransomare binary that they sell on their website. Our analysis indicates that the encryption routine used by FAKBEN Team was grabbed from the open source Hidden Tear ransomware. The representative sample that we used has the MD5 c952a88edc0766adf819b30cd2683ac7. The malware was developed and compiled using Microsoft Visual C# .NET. Persistence The malware creates an autorun... [Read More]
by RSS Roland Dela Paz  |  Nov 25, 2015  |  Filed in: Security Research
Previously, we talked about a new ransomware-as-a-service called Encryptor RaaS. Encryptor RaaS is a GNU Compiler for Java (GCJ) compiled ransomware that is available to anyone who wishes to be a spreading affiliate. The author then takes 20% commission for each ransom paid by an infected victim. While monitoring, we noticed some updates on its website. In particular, the new version of the ransomware dated November 13, 2015, caught our attention so we decided to take a look. Currently, the website looks as follows: Figure 1. Updated... [Read More]
by RSS Roland Dela Paz  |  Nov 17, 2015  |  Filed in: Security Research
Overview Cryptowall is a popular ransomware which targets computers running Microsoft Windows, encrypts files, and extorts money to decrypt user files. With its predecessor’s first appearance way back September 2013, cryptowall has become a financial success to its authors. Following this success, the authors have now released what is believed to be the 4th generation of cryptowall with new alterations techniques. Ransom Note The most obvious change from the previous cryptowall is the dropped files and message instructions after the... [Read More]
by RSS Rommel Abraham D. Joven  |  Nov 13, 2015  |  Filed in: Security Research
Although initially targeted at consumers, so-called “ransomware” has continued to make headlines as cybercriminals began shifting their attention to vulnerable businesses. The malware works by encrypting files on users’ computers and then charging fees to unencrypt these files. Organizations ranging from law enforcement to large enterprises have been hit and the entire family of malware (generally variants of the original Cryptolocker malware) has proven quite lucrative for cybercriminals. For a history of ransomware, click... [Read More]
by RSS Jose Luis Laguna  |  Jun 26, 2015  |  Filed in: Industry Trends
The year of 2013 was named as The Menace Year mainly because of the rampant CryptoLocker, a nefarious ransomware that encrypts user files and demands for a ransom to be paid in order to decrypt these files. And before CryptoLocker were the unfashionable scareware programs such as FakeAV, which used scare tactics in order to convince the user to purchase the full version of the software. It did not take long before this Windows-based experience was applied to the Android platform. In the middle of 2013, the first representative scareware named... [Read More]
by RSS Dong Xie  |  Jul 14, 2014  |  Filed in: Security Research
[Read More]
by RSS Michael Perna  |  Jun 07, 2014  |  Filed in: Industry Trends