Tag Archives: ransomware

Ukraine Police Warns of New NotPetya-Style Large Scale CyberAttack

ukraine-cyber-attack

Remember NotPetya?

The Ransomware that shut down thousands of businesses, organisations and banks in Ukraine as well as different parts of Europe in June this year.

Now, Ukrainian government authorities are once again warning its citizens to brace themselves for next wave of “large-scale” NotPetya-like cyber attack.

According to a press release published Thursday by the Secret Service of Ukraine (SBU), the next major cyber attack could take place between October 13 and 17 when Ukraine celebrates Defender of Ukraine Day (in Ukrainian: День захисника України, Den’ zakhysnyka Ukrayiny).

Authorities warn the cyber attack can once again be conducted through a malicious software update against state government institutions and private companies.

The attackers of the NotPetya ransomware also used the same tactic—compromising the update mechanism for Ukrainian financial software provider called MeDoc and swapping in a dodgy update including the NotPetya computer virus.

The virus then knocked computers in Ukrainian government agencies and businesses offline before spreading rapidly via corporate networks of multinational companies with operations or suppliers in eastern Europe.

notpetya-ransomware-attack
Presentation by Alexander Adamov, CEO at NioGuard Security Lab

The country blamed Russia for the NotPetya attacks, while Russia denied any involvement.

Not just ransomware and wiper malware, Ukraine has previously been a victim of power grid attacks that knocked its residents out of electricity for hours on two different occasions.

The latest warning by the Ukrainian secret service told government and businesses to make sure their computers and networks were protected against any intrusion.

“SBU notifies about preparing for a new wave of large-scale attack against the state institutions and private companies. The basic aim—to violate normal operation of information systems, that may destabilize the situation in the country,” the press release reads. 

“The SBU experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017.”


To protect themselves against the next large-scale cyber attack, the SBU advised businesses to follow some recommendations, which includes:

  • Updating signatures of virus protection software on the server and in the workstation computers.
  • Conducting redundancy of information, which is processed on the computer equipment.
  • Providing daily updating of system software, including Windows operating system of all versions.

Since the supply chain attacks are not easy to detect and prevent, users are strongly advised to keep regular backups of their important files on a separate drive or storage that are only temporarily connected for worst case scenarios.

Most importantly, always keep a good antivirus on your system that can detect and block any malware intrusion before it can infect your device, and keep it up-to-date for latest infection-detection.

Powered by WPeMatico

Hackers demand nude images instead of money

We thought that we’d seen everything but hackers managed to hit a new low. Last month the news about a new ransomware that demands nude photos instead of the usual cryptocurrency started circulating the online world. The new ransomware is called nRansomware and works very similar to Locky – it is a malicious software that infects your device and locks some of the files on your system. Luckily the new threat is not a state of the art malicious software. While Locky encrypts your data, nRansomeware is known only to lock your screen. It is unfortunate enough but not absolutely devastating.

Up until now, when a PC was infected with ransomware, the cybercriminals behind it were after immediate monetary gain. However, hacker’s shady techniques are continually evolving. Online troublemakers are starting to realize that Bitcoin and most of the virtual cryptocurrencies are not as secure and untraceable as they initially thought. Payments can easily be tracked, so they decided to get creative by releasing ransomware that demands ten nude photos from the victims to “unlock” their computer.

The new ransomware feels like a yet another episode of the modern-day nightmares described in the hit TV series Black Mirror. When infected, your computer displays the text below instead of your desktop. The ruthless message from the hackers is placed on a background containing offensive language and multiple images of Thomas the Tank Engine.

Your computer has been locked. You can only unlock it with the special unlock code. Go to protonmail.com and create an account. Send an email to 1_****_yourself_1@protonmail.com. We will respond immediately. After we reply, you must send at least ten nude pictures of you. After that, we will have the verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web.

It does sound gross, doesn’t it? The last thing you want is perverts bidding over imagery of your naked body. Hackers have been stealing intimate images from celebrities for a long time. Sadly, now they are starting to realize that they can make a buck by extorting regular people too. You no longer have to be rich or famous to attract hackers’ attention.

Is it a prank or a sign of the new way hackers will be making money out of the innocent? The time will show. One is for sure, cryptocurrencies are not untraceable, and cyber bullies with twisted minds exist out there. They are not afraid to pray on the weak by continuously finding new ways to avoid being caught. The chances of becoming a victim of such ransomware are rare to impossible if you are protected and follow our tips for staying out of trouble.

The post Hackers demand nude images instead of money appeared first on Panda Security Mediacenter.

Read More

Locky ransomware strikes at Amazon

pandasecurity-locky-amazon

Locky is back!

We’ve been closely monitoring the rebirth of the ransomware for quite some time. Since early last year, different variations of the ransomware have been periodically popping in and out. Last year we discussed the tricks of the malicious software and had a deeper look into how it works. As you may remember, the primary purpose of the malicious software is to make it to your computer. Once it gets there, it encrypts all certain files on your system and threatens you to delete them unless you pay a ransom. Payment in digital cryptocurrency is usually required by the cybercriminals to get back control of your files.

Amazon Marketplace

Multiple outlets such as ZDNet and Silicon Angle reported that a new version of Locky has been spreading around in a massive phishing attack. Cybercriminals have been sending roughly 1 million phishing emails per hour since Tuesday, and they are still going. Most of the attacks are disguised as fake Amazon Marketplace and Herbalife invoices spam emails, and phony printer orders, containing a zip file able to infect your computer with malicious software. The malicious emails have been targeted at businesses from all over the world. The main affected areas are US, Japan, Germany, and China.

How it works

Some of the infected users report that once Locky makes its way in, it builds the path for another type of ransomware called FakeGlobe. This means that if you fall a victim of one of Locky’s versions, you may potentially have to deal a second ransom. This is a new technique, but we shouldn’t be surprised as the recent phishing scams are getting more and more sophisticated. For example, the criminal minds behind the attack have been scheduling the emails to reach potential victims during working hours hoping to trick them into thinking it is a legitimate email.

Who’s behind Locky

No one yet knows who is behind Locky yet. ZDNet reported Locky makes its way via the Necurs botnet – an army of more than five million infected devices often used by cybercriminals for other shady activities such as executing email stock scams. However, most of the attacks are known to come from India, Greece, Vietnam, Colombia, Turkey, and Iran.

The fact that Locky in all its versions keeps coming back means that some people and businesses still fall for it.

Here are a few suggestions on how to prevent becoming a victim.

Install antivirus software – make sure those infected emails don’t even make it to you or your employee’s inboxes. And if they managed to go in through your spam filter, proper antivirus software would prevent you from opening the attachment able to infect your computer.

Do the updates – those updates are there for a reason. Very often malicious software exploits security holes in your operating system, don’t be shy and encourage your IT department always to make sure your systems are fully up-to-date.

Be smart – spend some time educating your employees about the harm that security breaches bring to your customers and your employees themselves. Roughly 60% of small businesses who suffer a hacker attack go out of business within six months. No one wants to lose his job! Also, remember not open suspicions emails!

Backup your files – make sure that you run a backup of your files at least once a week. This is how you will know that even if you or your business gets affected, you won’t have to pay the ransom but it may be a good excuse for a reinstall of your OS and full format of your drives.

The post Locky ransomware strikes at Amazon appeared first on Panda Security Mediacenter.

Read More

Locky ransomware strikes at Amazon

pandasecurity-locky-amazon

Locky is back!

We’ve been closely monitoring the rebirth of the ransomware for quite some time. Since early last year, different variations of the ransomware have been periodically popping in and out. Last year we discussed the tricks of the malicious software and had a deeper look into how it works. As you may remember, the primary purpose of the malicious software is to make it to your computer. Once it gets there, it encrypts all certain files on your system and threatens you to delete them unless you pay a ransom. Payment in digital cryptocurrency is usually required by the cybercriminals to get back control of your files.

Amazon Marketplace

Multiple outlets such as ZDNet and Silicon Angle reported that a new version of Locky has been spreading around in a massive phishing attack. Cybercriminals have been sending roughly 1 million phishing emails per hour since Tuesday, and they are still going. Most of the attacks are disguised as fake Amazon Marketplace and Herbalife invoices spam emails, and phony printer orders, containing a zip file able to infect your computer with malicious software. The malicious emails have been targeted at businesses from all over the world. The main affected areas are US, Japan, Germany, and China.

How it works

Some of the infected users report that once Locky makes its way in, it builds the path for another type of ransomware called FakeGlobe. This means that if you fall a victim of one of Locky’s versions, you may potentially have to deal a second ransom. This is a new technique, but we shouldn’t be surprised as the recent phishing scams are getting more and more sophisticated. For example, the criminal minds behind the attack have been scheduling the emails to reach potential victims during working hours hoping to trick them into thinking it is a legitimate email.

Who’s behind Locky

No one yet knows who is behind Locky yet. ZDNet reported Locky makes its way via the Necurs botnet – an army of more than five million infected devices often used by cybercriminals for other shady activities such as executing email stock scams. However, most of the attacks are known to come from India, Greece, Vietnam, Colombia, Turkey, and Iran.

The fact that Locky in all its versions keeps coming back means that some people and businesses still fall for it.

Here are a few suggestions on how to prevent becoming a victim.

Install antivirus software – make sure those infected emails don’t even make it to you or your employee’s inboxes. And if they managed to go in through your spam filter, proper antivirus software would prevent you from opening the attachment able to infect your computer.

Do the updates – those updates are there for a reason. Very often malicious software exploits security holes in your operating system, don’t be shy and encourage your IT department always to make sure your systems are fully up-to-date.

Be smart – spend some time educating your employees about the harm that security breaches bring to your customers and your employees themselves. Roughly 60% of small businesses who suffer a hacker attack go out of business within six months. No one wants to lose his job! Also, remember not open suspicions emails!

Backup your files – make sure that you run a backup of your files at least once a week. This is how you will know that even if you or your business gets affected, you won’t have to pay the ransom but it may be a good excuse for a reinstall of your OS and full format of your drives.

The post Locky ransomware strikes at Amazon appeared first on Panda Security Mediacenter.

Read More

Massive Email Campaign Sends Locky Ransomware to Over 23 Million Users

locky-ransomware

Whenever we feel like the Locky ransomware is dead, the notorious threat returns with a bang.

Recently, researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the Locky ransomware.

Lukitus Campaign Sends 23 Million Emails in 24 Hours

The campaign spotted by researchers at AppRiver sent out more than 23 million messages containing Locky ransomware in just 24 hours on 28 August across the United States in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, the emails sent out in the attack were “extremely vague,” with subjects lines such as “please print,” “documents,” “images,” “photos,” “pictures,” and “scans” in an attempt to convince victims into infecting themselves with Locky ransomware.

The email comes with a ZIP attachment (hiding the malware payload) that contains a Visual Basic Script (VBS) file nested inside a secondary ZIP file.

Once a victim tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called Lukitus (which means “locked” in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.

After encryption process ends, the malware displays a ransomware message on the victim’s desktop that instructs the victim to download and install Tor browser and visit the attacker’s site for further instructions and payments.

locky-ransomware-decrypter

This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a “Locky decryptor” in order to get their files back.

This Lukitus attack campaign is still ongoing, and AppRiver researchers had “quarantined more than 5.6 million” messages in the campaign on Monday morning.

Sadly, this variant is impossible to decrypt as of now.

2nd Locky Campaign Sends over 62,000 Emails

locky-ransomware

In separate research, security firm Comodo Labs discovered another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.

Dubbed IKARUSdilapidated, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of “zombie computers” to conduct coordinated phishing attacks.

According to security researchers at Comodo, “this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations’ infrastructures.”

The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the above case.

The cyber criminals operating Locky’s IKARUSdilapidated variant demands ransom between 0.5 Bitcoin (~$2,311) and 1 Bitcoin (~$4,623) to get their encrypted files back.

This massive Locky ransomware campaign targets “tens of thousands” of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.

Here’s How to Protect Yourself From Ransomware Attacks

Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including WannaCry, NotPetya, and LeakerLocker.

Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system Up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.

Powered by WPeMatico

Easy-to-Use Apps Allow Anyone to Create Android Ransomware Within Seconds

create-android-ransomware

“Ransomware” threat is on the rise, and cyber criminals are making millions of dollars by victimizing as many people as they can—with WannaCry, NotPetya and LeakerLocker being the ransomware threats that made headlines recently.

What’s BAD? Hacker even started selling ransomware-as-a-service (RaaS) kits in an attempt to spread this creepy threat more easily, so that even a non-tech user can create their own ransomware and distribute the threat to a wider audience.

The WORSE—You could see a massive increase in the number of ransomware campaigns during the next several months—thanks to new Android apps available for anyone to download that let them quickly and easily create Android ransomware with their own devices.

Security researchers at Antivirus firm Symantec have spotted some Android apps available on hacking forums and through advertisements on a social networking messaging service popular in China, which let any wannabe hacker download and use Trojan Development Kits (TDKs).

How to Create Your Own Android Ransomware

With an easy-to-use interface, these apps are no different from any other Android app apart from the fact that it allows users to create their custom mobile malware with little to no programming knowledge.

To create customized ransomware, users can download one such app (for an obvious reason we are not sharing the links), install and open it, where it offers to choose from the following options, which are displayed on the app’s on-screen form:

The message that is to be shown on the locked screen of the infected device

  • The key to be used to unlock that infected device
  • The icon to be used by their malware
  • Custom mathematical operations to randomize the code
  • Type of animation to be displayed on the infected device

Once all of the information has been filled in, users just require hitting the “Create” button.

If the user hasn’t before, the app will prompt him/her to subscribe to the service before proceeding. The app allows the user to start an online chat with its developer where he/she can arrange a one-time payment.

After the payment has been made, the “malware is created and stored in the external storage in ready-to-ship condition,” and then the user can continue with the process, making as many as victims as the user can.

“Anyone unlucky enough to be tricked into installing the malware will end up with a locked device held to ransom,” Symantec researchers say. 

“The malware created using this automation process follows the typical Lockdroid behavior of locking the device’s screen with a SYSTEM_ALERT_WINDOW and displaying a text field for the victim to enter the unlock code.”

The Lockdroid ransomware has the ability to lock the infected device, change the device PIN, and delete all of its user data through a factory reset, and even prevent the user from uninstalling the malware.

Such apps allow anyone interested in hacking and criminal activities to develop a ready-to-use piece of ransomware malware just by using their smartphones without any need to write a single line of code.

“However, these apps are not just useful for aspiring and inexperienced cyber criminals as even hardened malware authors could find these easy-to-use kits an efficient alternative to putting the work in themselves,” the researchers say.

So, get ready to expect an increase in mobile ransomware variants in coming months.

How to Protect Your Android Devices from Ransomware Attacks

In order to protect against such threats on mobile devices, you are recommended to:

  • Always keep regular backups of your important data.
  • Make sure that you run an active anti-virus security suite of tools on your machine.
  • Avoid downloading apps from unknown sites and third-party app stores.
  • Always pay close attention to the permissions requested by an app, even if it is downloaded from an official app store.
  • Do not open any email attachments from unknown sources.
  • Finally, browse the Internet safely.

Powered by WPeMatico

The Ways Cybercrime Has Changed in 2017

With thousands of infected computers and millions of dollars lost, the latest ransomware attacks are surely marking the trends to come in the increasingly lucrative field of cybercrime. This, together with the exponential proliferation of connected devices on the IoT, as well as covert cyberwar, sets the stage for cybercrime to come.

More malware, more sophisticated than ever

Incidents from unknown threats went up 40% in this year’s second, according to the latest data collected by PandaLabs in their quarterly report. These attacks are carried out with malware that is unrecognizable to signature-based antivirus solutions, and also evades heuristic detection, indicating a considerable increase in the amount of new malware. As the PandaLabs report points out, small and medium-sized enterprises generally account for the most-targeted victims of these new malware attacks, but home users are more affected by this malware in terms of sheer numbers,

Increased sophistication means that much of the malware we’ve seen uses legitimate system tools to exploit vulnerabilities, something that is especially critical in professional environments. Over the course of 2017, more than 150 million attacks are expected, of which a large percentage will seriously affect companies. We’ve already discussed the growing economic impact that could reach almost three billion dollars in losses in 2017. However, other vectors should be considered, such as the IoT and the troves of data it connects to. Also of note is the increasing probability of being caught in the crossfire of a cyberwar between two world powers, as international cyberespionage continues to rise.

Ransomware, the “fashionable” attack

We can’t stop talking about the attacks that have caused the most impact in the past few months (and which incidentally are some of the most brutal cyberattacks in history). Both WannaCry, which has affected more than 150 countries, causing losses of up to four billion dollars, and the subsequent Petya/GoldenEye incident, whose economic impact was infinitely lower, wreaked havoc on corporate networks the world over. Regardless of who’s responsible for the attacks, their sophistication belies a budding professionalism and simmering hostility in the underworld of cybercrime.

We can no longer deny that there is indeed a cyberwar being waged, sometimes covertly and sometimes not. Often, the perpetrators appear to be institutional (governmental, to be more specific), a hypothesis that can be further justified by looking at the chosen targets of these attacks (especially in the case of Petya/GoldenEye). But it is also important to note that these ransomware attacks take advantage of vulnerabilities found in legitimate system tools, and can therefore be classified as zero-day attacks.

The EternalBlue exploit is at the center of these attacks. It had already been patched by Microsoft before the events took place, but many users had not updated their systems. If on a network of hundreds of computers just one employee fails to update with the patch, the entire network is exposed to the wave of ransomware.

Smart Cities are especially vulnerable. In some cases, the attacks not only resulted in the loss of data, but also brought entire systems down, leading to the interruption of public services. From blackouts to blocked devices, such as cameras or traffic signals, the consequences of recent attacks show that the future of cybercrime can seriously hinder our digital life as we know it.

Fighting advanced cyber attacks

Corporations and home users alike must be constantly vigilant, and that means constantly updating systems and using advanced cybersecurity solutions that can stop an attack before it is able to penetrate the network. And how can we protect ourselves from vulnerabilities we don’t even know exist? More modern solutions address the problem by monitoring systems in real time and are triggered by suspicious behavior (and not known signatures or heuristics). So despite the proliferation of unknown malware, users can stay protected at all times. This is the secret of the advanced technology of Panda Adaptive Defense: to prevent the attack before it happens.

The post The Ways Cybercrime Has Changed in 2017 appeared first on Panda Security Mediacenter.

Read More

Android Trojan Now Targets Non-Banking Apps that Require Card Payments

android-banking-malware

The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.

Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device’s calls and display overlays on top of taxi booking apps to steal banking information.

Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.

Malware Spy On Telephonic Conversations

Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.

When calls are made to or received from certain phone numbers on the victim’s device, the malware begins to record those conversations and sends the recordings to the attacker’s server.

Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.

Malware Exploits Overlay Feature to Steal Credit Card Details

android-banking-trojan

In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.

The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.

Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:

  • Android Pay
  • Google Play Store
  • Apps for paying traffic tickets
  • Apps for booking flights and hotel rooms
  • Apps for booking taxis

Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.

According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.

Ways to Protect Against Such Android Banking Trojans

The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.

You can also go to Settings → Security and make sure “Unknown sources” option is turned off in order to block installation of apps from unknown sources.

Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.

It’s always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.

Powered by WPeMatico