NotPetya and ExPetr

There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of wowsmith123456@posteo.net and asks for a payment of $300 in Bitcoin. Petya’s initial distribution vector was a tainted update for an accounting software package popular in the Ukraine, from the legitimate MEDoc updater process.. The new ransomware has worm capabilities, which allows it to move laterally across infected networks.

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network. The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line:

C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30

Other observed infection vectors include:

A modified EternalBlue exploit, also used by WannaCry.
The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code.

This ransomware attempts to encrypt all files, Unlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files. The AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.

After completing its encryption routine, this ransomware drops a text file called README.TXT in each fixed drive. The said file has the following text:
petya-readme

After execution, the ransomware infects the system at a low level, modifying the MBR and presenting the user with the following prompt:
windowsshutdown

After a reboot, instead of loading into the operating system installed on the computer, the user is faced with a fake Check Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files. This is done to buy the ransomware more time to encrypt all the relevant files on the system without being stopped by the user. The MFT (Master File Table) and the MBR are also encrypted. The MBR is overwritten to display the ransom note, which makes it impossible to boot the system without remediation—meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware’s purpose and its demands. The attack affects users by encrypting anywhere from a single file to the entire system.

screen1-petya

look out for Max Total Security new tool next week which is blocking all malware access. Alomg with its already launched tool whitelist make your PC malware proof forever.

PSCrypt ransomware

PSCrypt is a ransomware based on GlobeImposter 2.0, a ransomware strain that’s been around for more than a year, and has evolved from the Globe ransomware family. Ukrainian users have been aggressively targeted during the past month with PSCrypt after XData and NotPetya.

The PSCrypt Ransomware Trojan is distributed to users via spam emails loaded with a macro-enabled Microsoft Word file. The document may be proposed to users as an invoice, order confirmation and message from a friend on a social media service. Either way, the file acts as an installer that includes a script which is loaded in Windows and issues commands that result in the installation of the PSCrypt Ransomware.

During data encryption, it appends .pscrypt file extension and makes data impossible to open. Once it’s done, this crypto-malware creates and saves a Paxynok.html file into every folder that contains encrypted data, including the desktop. The ransom note carries victim’s personal identifier and a message from cyber criminals which says that all files have been encrypted by PSCrypt. The letter suggests that the victim must buy Bitcoins[2] at LocalBitcoins, Coinbase or XChange and then transfer a required sum to a provided Bitcoin wallet.

Cyber criminals ask to write them a letter via systems64x@tutanota.com email address which is also provided in the ransom note. The crooks suggest that their “operator will give the further instructions.” According to the ransom note, victims have to pay 2500 hryvnia (approximately 96 US dollars) in order to decrypt corrupted files. The cyber criminals provide an unusual ransom payment method – paying the ransom via IBOX terminal.

Malware not only encrypts files but also makes the system vulnerable. It might make various modifications in the system, create new or delete existing registry entries, and even open the backdoor to other cyber threats. Thus, having this malicious program installed on a device might lead to even more serious problems. It goes without saying that you should first make a copy of data back up done by Max Total Security and then format PC. Reinstall new operating system and then do data recovery.

Ztorg Android malware

The Ztorg malware hid in apps on Google’s Play Store to send premium-rate SMS texts and delete incoming SMS messages on Android devices. The apps, called “Magic Browser” and “Noise Detector,” have a combined total of 60,000 user installations. What’s interesting about these apps is that they don’t conceal Ztorg in its traditional device-rooting form. Instead they hide an SMS-based version of the threat.

After a user installs them, the apps wait 10 minutes before connecting to their command-and-control (C&C) server. They then make two GET requests, the first of which includes the first three digits of the Android device’s International Mobile Subscriber Identity (IMSI). If the trojan receives data from the server, it responds with its second GET request containing the first five digits of the IMSI.

magic-browser

The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.

ztorg_sms_en_2

Following these requests, the trojan receives a JSON file of “offers” carrying a string field called “url.” Some of these “url” fields actually contain a URL, in which case Ztorg displays content to the user. In the event the field carries a “SMS” substring, it sends an SMS message to the number provided, turns off the device sound, and starts blocking all incoming SMS text messages.

It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.

RabboLock Ransomware

The R4bb0l0ck file encoder is programmed to scan the machine for available memory disks, and network shared storage that has data associated with software like Microsoft Office, Libre Office, Adobe Acrobat Reader, MySQL, VLC Media Player and Calibre. The threat is reported to use the files ‘hidden-tear.exe,’ ‘R4bb0l0ck.exe,’ and ‘R4bb0l0ck Ransomware.bin’ to facilitate its operation. The RabboLock Ransomware Trojan is programmed to report the IP address, machine GUID, active user account name, and software configuration to its masters before it generates a pair of unique encryption and decryption keys. As all HiddenTear variants do, the R4bb0l0ck Trojan encodes the user’s files using the AES-256 cipher and proceeds to encode the decryption key using the RSA-1024 cipher, which prevents malware researchers from recovering the corrupted data.

This Trojan is another crpto malware which adds the ‘.R4bb0l0ck’ extension to the encoded files. The RabboLock Ransomware is a threat to regular PC users that may open documents attached to spam emails, and lead to a security breach. The programmers responsible for the RabboLock Ransomware have been reported to take advantage of macro scripts embedded into Microsoft Word documents and compromise remote computers.

Our recommendation is be careful while opening email attachments, or fake software products as many malware come bundled with them, or while browsing web sites where scripts may ask you for permission or download something. Immediately terminate such processes or browsers from task manager . Always use Max Total Security to back up your data and Restore when you need it.

$ucyLocker Ransomware

The $ucyLocker Ransomware is a file encoder Trojan that is designed to corrupt data on compromised devices and offers users a chance to recover their data. The authors of the $ucyLocker Ransomware used “VapeHacksLoader.exe” and “Loader-Private” to install the ransomware within the PC. After infecting the computer, this ransomware encrypts files stored in the system and adds .WINDOWS file extension to each of them. Then it outputs some text into a ransom note READ_IT.txt which the virus saves on the desktop. This virus aims to extort the victim as it asks 0.16 BTC in exchange for a decryption key.

lucyLocker

Following message is shown by this ransomware:

Window 1:
‘Your computer is locked. Please do not close this window as that will result in serious computer damage
Click next for more information and payment on how to get your files back.
$usyLocker

Window 2:
‘Your Files are locked. They are locked because you downloaded something with this file in it. This is ransomware. It locks your files until you pay for them. Before you ask, Yes we will give you your files back once you pay and our server confirms that you pay.
Next’

Window 3:
‘I paid, Now give me back my files
Send 0.16 to the address below
[34 RANDOM CHARACTERS]
bitcoin
ACCEPTED HERE’

Do not pay this Ransomware any money as there is no guarantee that it will recover your files. Go to control panel, review and uninstall any unwanted programs that you see. Go to Task manager and delete any processes or services that are not familiar to you and from Max Total Security >Options menu remove any BHOS and Startup entries that you see. From browsers remove any add ins.

Restore all of your files from Max Total Security Restore option.

Executioner (Cellat) ransomware

Executioner (Cellat) is a ransomware-type virus encrypts various data and appends six random characters to a name of each encrypted file. For example, “sample.jpg” might be renamed to “sample.jpg.h80skl” or similar. Executioner (Cellat) then changes the desktop wallpaper and creates an HTML file (“Sifre_Coz_Talimat.html”), placing it in each folder containing encrypted files.

The wallpaper contains a ransom-demand message in Turkish stating that files are encrypted and that a ransom of the equivalent of $150 in Bitcoins must be paid to restore them. It is currently unknown whether Executioner (Cellat) uses symmetric or asymmetric cryptography. In any case, decryption without a unique key is impossible. Cyber criminals store this key on a remote server and victims are encouraged to pay a ransom to receive it. Research shows, however, that these people should never be trusted – cyber criminals often ignore victims once ransoms are submitted. Therefore, never attempt to contact these people or pay any ransom. There is a high probability that paying will not deliver any positive result and you will simply be scammed. Paying is equivalent to sending your money to cyber criminals – you simply support their malicious businesses. Unfortunately, there are no tools capable of restoring files encrypted by Executioner (Cellat). Therefore, you can only restore your files/system from a backup. We recommend using a Total Security approach such as Max Total Security to handle such nuisance.

The Executioner ransomware also known as Cellat ransomware is most likely spread via spam emails containing malicious email attachments, pdf attachments and Word documents prompting the user to enable Macros, etc. Most recent ransomware cases rely on this method of distribution because of its high success rates. Most users tend to be careless with suspicious emails which often lead to ransomware and malware infections.

However, there are other probable methods of infections that could be used by the creators of the Executioner crypto virus. A payload dropper which triggers its malicious script could be spread online. The ransomware may also be spreading the payload file on social media websites and file-sharing services. Another popular method of ransomware and malware distribution is via freeware packages where a program may be bundled with malicious programs.

To avoid infections of that kind, be extremely cautious when dealing with files downloaded from the Web as well as with emails sent by unknown or suspicious entities.

Fireball- a browser-hijacker Infects Nearly 250 Million Computers Worldwide

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS and 20% of corporate networks globally. A Chinese digital marketing company named Rafotech is behind this malware.

Dubbed Fireball, the malware is an adware package that takes complete control of victim’s web browsers and turns them into zombies, potentially allowing attackers to spy on victim’s web traffic and potentially steal their data.

However, Fireball also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.

For now, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either yahoo.com or Google.com to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000. Fireball also installs plug-ins and additional configurations to boost its advertisement activity. Fireball has turned out to be virulent, with an enormous infection rate. The biggest proportion of infections are in India, Brazil and Mexico, and there are more than 5.5 million in the US.

The good news is that Fireball can be removed from PCs by uninstalling the adware using Programs and Features list in the Windows Control Panel, or using the Mac Finder function in the Applications folder on Macs.
Max Total Security for windows and Mac Total Security detects and removes this malware.