Police arrest Ransomware cybercriminals ...
FYI...
Police arrest Ransomware cybercriminals
- http://blog.trendmicro.com/trendlabs...vity-nabbed-2/
Feb 13, 2013 - "... Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON. The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates. The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia..."
- http://news.yahoo.com/spain-busts-ra...201859529.html
Feb 13, 2013 - "... The gang, operating from the Mediterranean resort cities of Benalmadena and Torremolinos, made at least €1 million ($1.35 million) annually... The 27-year-old Russian alleged to be the gang's founder and virus developer was detained in the United Arab Emirates at the request of Spanish police while on vacation and an extradition petition is pending, Martinez said. Six more Russians, two Ukrainians and two Georgians were arrested in Spain last week... Money was also stolen from the victims' accounts via ATMs in Spain, and the gang made daily international money transfers through currency exchanges and call centers to send the funds stolen to Russia. Spanish authorities identified more than 1,200 victims but said the actual number could be much higher. The government's Office of Internet Security received 784,000 visits for advice on how to get rid of the virus. Those arrested face charges of money laundering, participation in a criminal operation and fraud."
- http://h-online.com/-1803788
14 Feb 2013
:fear: ;)
DHS-themed Ransomware in the wild
FYI...
DHS-themed Ransomware in the wild
- https://www.us-cert.gov/ncas/current...med-Ransomware
Last revised: March 22, 2013 - "US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware... US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages..."
Screenshot: http://news.softpedia.com/newsImage/...somware-2.jpg/
March 21, 2013
- http://www.reuters.com/article/2013/...92K0Z920130321
Mar 21, 2013
:mad::fear:
Ransomware leverages victims' browser histories for increased credibility
FYI...
Ransomware leverages victims' browser histories for increased credibility
- https://www.computerworld.com/s/arti...ed_credibility
April 1, 2013 - "... A new ransomware variant that employs this trick was spotted over the weekend by an independent malware analyst known online as Kafeine. Dubbed Kovter, this version stands out because it uses information gathered from the victim's browser history in order to make the scam message more credible, Kafeine said Friday in a blog post*. Kovter displays a fake warning allegedly from the U.S. Department of Justice, the U.S. Department of Homeland Security and the FBI, that claims the victim's computer was used to download and distribute illegal content. The message also lists the computer's IP address, its host name and a website from which the illegal material was allegedly downloaded. The malware checks if any of the sites already present in the computer's browser history is present in a remote list of porn sites whose content is not necessarily illegal, and if there's a match, it displays it in the message. By using this technique and naming a site that the victim has actually visited as the source for the alleged illegal content, the ransomware authors attempt to increase the credibility of their message. If no match is found when checking the browser history against the remote list, the malware will just use a random porn site in the message... The authors of police-themed ransomware are constantly trying to improve their success rate and this is just the latest in a long series of tricks they have added. Some variants are actually using the computer's webcam, if one is present, to take a picture of the user and include it in the message in order to give the impression that the authorities are recording the user. Another variant gives victims a deadline of 48 hours to pay the made-up fine before their computer drive is reformatted and their data is destroyed. The average number of daily infection attempts with police-themed ransomware has doubled during the first months of 2013..."
*Screenshot: https://d1piko3ylsjhpd.cloudfront.ne..._kovter_01.png
:fear::fear:
Ransomware - Reveton.B ...
FYI...
Ransomware - Reveton.B...
- https://www.net-security.org/malware_news.php?id=2497
May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
> https://www.net-security.org/images/...n-17052013.jpg
... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
* http://blogs.technet.com/b/mmpc/arch...l-pay-off.aspx
:sad: :fear:
Top 5 Fake Security Rogues of 2013
FYI...
Top 5 Fake Security Rogues of 2013
- http://blog.webroot.com/2013/06/27/t...ogues-of-2013/
June 27, 2013 - "We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.
Here are the top 5 rogues reported this year (Screenshots):
System Care Antivirus: https://webrootblog.files.wordpress....irus.jpg?w=750
Internet Security: https://webrootblog.files.wordpress....rity.png?w=736
Disk Antivirus Professional: https://webrootblog.files.wordpress....irus.png?w=752
System Doctor 2014: https://webrootblog.files.wordpress....2014.jpg?w=801
AVASoft professional antivirus: https://webrootblog.files.wordpress....irus.jpg?w=796
... The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:
1) https://webrootblog.files.wordpress....pg?w=296&h=145
2) https://webrootblog.files.wordpress....pg?w=560&h=145
Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.
> https://webrootblog.files.wordpress....nter.jpg?w=869
Don’t give them your credit card information.
... New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday..."
- https://blogs.technet.com/b/mmpc/arc...edirected=true
27 Jun 2013
:mad: :mad:
Ransomware targets Apple Mac OS X users
FYI...
Ransomware targets Apple Mac OS X users
- http://blog.malwarebytes.org/intelli...ac-os-x-users/
July 15, 2013 - "... Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.
Screenshot: http://cdn.blog.malwarebytes.org/wp-...ansomware1.png
The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords. Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.” A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users. If you choose to ignore the message (which you should), you cannot get rid of the page:
> http://cdn.blog.malwarebytes.org/wp-...3/07/lock1.png
If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle... There -is- a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:
> http://cdn.blog.malwarebytes.org/wp-...3/07/reset.png
Make sure all items are marked and hit the Reset button:
> http://cdn.blog.malwarebytes.org/wp-.../07/reset2.png
You can bet many people are going to fall for this scam and pay the ransom money, filling the bad guys’ pockets. Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it. The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images. The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.” This scam is unfortunately all too efficient and is not going away anytime soon. Watch this tutorial* on how to get rid of the FBI ransomware for OS X..."
* http://www.youtube.com/watch?v=Ip6tvti4UjU
___
- https://www.ic3.gov/media/2013/130718-2.aspx
July 18, 2013
:fear::fear:
DHS-themed ransomware - in the wild
FYI...
DHS-themed ransomware - in the wild...
- https://www.us-cert.gov/ncas/current...somware-UPDATE
July 30, 2013 - "US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild. Users who are being targeted by the ransomware receive a message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. One iteration of this malware also takes a webcam (if available) photo or video of a recipient and posts it in a pop-up to add to the appearance of legitimacy. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware..."
:sad::fear::mad:
Ransomlock malware changes Windows Login Credentials
FYI...
Chinese Ransomlock malware changes Windows Login Credentials
- http://www.symantec.com/connect/blog...in-credentials
21 Aug 2013 - "... new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked. This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation) so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.
Login screen with changed account name after system restart
> https://www.symantec.com/connect/sit...gure1_Edit.png
If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked. Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:
1. Use password “tan123456789” to log into the system and reset the password (as mentioned before, this might -not- always work as the password may be changed by the malware author)
2. Use another administrator account to log into the system and reset the password
3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
4. Use Windows recovery disk to reset the password."
___
Spear-Phishing E-mail with Missing Children Theme
- https://www.us-cert.gov/ncas/current...Children-Theme
August 22, 2013 - "The FBI is aware of a spear-phishing e-mail appearing as if it were sent from the National Center for Missing and Exploited Children. The subject of the e-mail is "Search for Missing Children," and a zip file containing 3 malicious files is attached. E-mail recipients should always treat links and attachments in unsolicited or unexpected e-mail with caution."
:fear::mad:
Cryptolocker ransomware ...
FYI...
Cryptolocker ransomware
- http://arstechnica.com/security/2013...0-in-bitcoins/
Oct 17 2013 - "Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker. It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings. Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available..."
> http://cdn.arstechnica.net/wp-conten...t1-640x498.jpg
Cryptolocker Prevention Kit
- http://www.thirdtier.net/2013/10/cry...revention-kit/
Oct 14, 2013 - "The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious we’ve decided to make these materials available to everyone. The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment. We’ve zipped it up into a single file. Download it now*"
* http://www.thirdtier.net/downloads/C...ventionKit.zip
___
- http://atlas.arbor.net/briefs/index#1331587000
High Severity
21 Oct 2013
The CryptoLocker ransomware has been popular lately. Several serious outbreaks have taken place and this threat is harder to recover from unless proactive measures have been taken.
Source: http://nakedsecurity.sophos.com/2013...-and-recovery/
- http://windowssecrets.com/top-story/...nicious-virus/
Oct 23, 2013
- https://isc.sans.edu/diary.html?storyid=16871
Last Updated: 2013-10-22 14:09:38 UTC
CryptoLocker: Its Spam and ZeuS/ZBOT Connection
- http://blog.trendmicro.com/trendlabs...ot-connection/
Oct 21, 2013 - "... the CryptoLocker malware that not only blocks accessing to the system, but also forces users to buy a $300 decrypting tool by locking or encrypting specific files in the system. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function. Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and came across with a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):
(Screenshot of spam with malicious attachment)
> http://blog.trendmicro.com/trendlabs...yptolocker.jpg
Once this attached file is executed, it connects to a URL to download another file, which is saved as cjkienn.exe (detected as TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).
(CryptoLocker infection chain)
> http://blog.trendmicro.com/trendlabs...ock_edited.jpg
This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents... Although the ransom note only in CryptoLocker specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption. RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information). The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available. For information on which files are encrypted, users can check their system’s autostart registry.
> http://blog.trendmicro.com/trendlabs...yptolocker.jpg
... It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources. Email reputation service also blocks the spam related to this threat."
CryptoPrevent Tool:
- http://www.bleepingcomputer.com/viru...#cryptoprevent
Oct 20, 2013
:fear::fear:
GWload - Mass Injection making its rounds ...
FYI...
GWload - Mass Injection making its rounds ...
- http://community.websense.com/blogs/...ts-rounds.aspx
29 Oct 2013 - "... a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites... Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software. We see parallels of the injected websites with websites that were affected by the "cookiebomb" mass injection, which was mostly associated with delivering "ransomware" payloads...
Number of injected web pages spotted in the last 7 days:
> http://community.websense.com/cfs-fi..._5F00_days.jpg
Users who browse to a compromised injected website are immediately redirected 'drive-by' style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b ) shows them this notification: "VLC player is required for this website, click DOWNLOAD NOW". VLC media player is a legitimate open source media player (the official page is located here*). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with -all- the "VLC media player" installations that take part in this mass injection campaign... The lure - how content is 'locked' with conditional access; this is what the user sees when browsing to an injected website:
> http://community.websense.com/cfs-fi...lashscreen.jpg
... If a user is convinced that it is necessary to download and run the file to access the website's content, then unexpected, -rogue- installations of software will commence on the user's machine... Looks like "VLC Player" Installation, but the small print allows for some extras:
> http://community.websense.com/cfs-fi...plashcreen.jpg
... We noticed that this mass injection uses a social engineering trick that locks legitimate websites' content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with 'GWload' that code that mostly was used in social engineering-based attacks on -Facebook- has now migrated and is used with mass injections..."
* http://www.videolan.org/
:mad: :fear::fear: