$ucyLocker Ransomware

The $ucyLocker Ransomware is a file encoder Trojan that is designed to corrupt data on compromised devices and offers users a chance to recover their data. The authors of the $ucyLocker Ransomware used “VapeHacksLoader.exe” and “Loader-Private” to install the ransomware within the PC. After infecting the computer, this ransomware encrypts files stored in the system and adds .WINDOWS file extension to each of them. Then it outputs some text into a ransom note READ_IT.txt which the virus saves on the desktop. This virus aims to extort the victim as it asks 0.16 BTC in exchange for a decryption key.

lucyLocker

Following message is shown by this ransomware:

Window 1:
‘Your computer is locked. Please do not close this window as that will result in serious computer damage
Click next for more information and payment on how to get your files back.
$usyLocker

Window 2:
‘Your Files are locked. They are locked because you downloaded something with this file in it. This is ransomware. It locks your files until you pay for them. Before you ask, Yes we will give you your files back once you pay and our server confirms that you pay.
Next’

Window 3:
‘I paid, Now give me back my files
Send 0.16 to the address below
[34 RANDOM CHARACTERS]
bitcoin
ACCEPTED HERE’

Do not pay this Ransomware any money as there is no guarantee that it will recover your files. Go to control panel, review and uninstall any unwanted programs that you see. Go to Task manager and delete any processes or services that are not familiar to you and from Max Total Security >Options menu remove any BHOS and Startup entries that you see. From browsers remove any add ins.

Restore all of your files from Max Total Security Restore option.

Executioner (Cellat) ransomware

Executioner (Cellat) is a ransomware-type virus encrypts various data and appends six random characters to a name of each encrypted file. For example, “sample.jpg” might be renamed to “sample.jpg.h80skl” or similar. Executioner (Cellat) then changes the desktop wallpaper and creates an HTML file (“Sifre_Coz_Talimat.html”), placing it in each folder containing encrypted files.

The wallpaper contains a ransom-demand message in Turkish stating that files are encrypted and that a ransom of the equivalent of $150 in Bitcoins must be paid to restore them. It is currently unknown whether Executioner (Cellat) uses symmetric or asymmetric cryptography. In any case, decryption without a unique key is impossible. Cyber criminals store this key on a remote server and victims are encouraged to pay a ransom to receive it. Research shows, however, that these people should never be trusted – cyber criminals often ignore victims once ransoms are submitted. Therefore, never attempt to contact these people or pay any ransom. There is a high probability that paying will not deliver any positive result and you will simply be scammed. Paying is equivalent to sending your money to cyber criminals – you simply support their malicious businesses. Unfortunately, there are no tools capable of restoring files encrypted by Executioner (Cellat). Therefore, you can only restore your files/system from a backup. We recommend using a Total Security approach such as Max Total Security to handle such nuisance.

The Executioner ransomware also known as Cellat ransomware is most likely spread via spam emails containing malicious email attachments, pdf attachments and Word documents prompting the user to enable Macros, etc. Most recent ransomware cases rely on this method of distribution because of its high success rates. Most users tend to be careless with suspicious emails which often lead to ransomware and malware infections.

However, there are other probable methods of infections that could be used by the creators of the Executioner crypto virus. A payload dropper which triggers its malicious script could be spread online. The ransomware may also be spreading the payload file on social media websites and file-sharing services. Another popular method of ransomware and malware distribution is via freeware packages where a program may be bundled with malicious programs.

To avoid infections of that kind, be extremely cautious when dealing with files downloaded from the Web as well as with emails sent by unknown or suspicious entities.

Fireball- a browser-hijacker Infects Nearly 250 Million Computers Worldwide

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS and 20% of corporate networks globally. A Chinese digital marketing company named Rafotech is behind this malware.

Dubbed Fireball, the malware is an adware package that takes complete control of victim’s web browsers and turns them into zombies, potentially allowing attackers to spy on victim’s web traffic and potentially steal their data.

However, Fireball also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.

For now, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either yahoo.com or Google.com to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000. Fireball also installs plug-ins and additional configurations to boost its advertisement activity. Fireball has turned out to be virulent, with an enormous infection rate. The biggest proportion of infections are in India, Brazil and Mexico, and there are more than 5.5 million in the US.

The good news is that Fireball can be removed from PCs by uninstalling the adware using Programs and Features list in the Windows Control Panel, or using the Mac Finder function in the Applications folder on Macs.
Max Total Security for windows and Mac Total Security detects and removes this malware.

The Judy Malware-Android

Up to 36.5 million Android devices may have been infected by malware that produced fake ad clicks and lined the pockets of its developers. 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp., “infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

Google “swiftly” removed the apps from Google Play after being alerted to their existence, but not before they “reached an astonishing spread between 4.5 million and 18.5 million downloads.
judy-malware

Once a user downloads a malicious app, it silently registers receivers which establish a connection with the [Command and Control] server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Keep your Android device protected with the updated Max Total Security for Android.

Despite apps going through periodic reviews, Google’s Play Store security system, named Bouncer, wasn’t able to pick up the malware’s malicious activity.
Google launches new Android security services

On May 17, during the Google I/O annual event, Google announced a new service called Google Play Protect. According to Google, this new service continuously scans all Android apps and user devices for malicious behavior and uses machine learning to detect any suspicious activity. Once it detects a malicious app, it removes it from the phones of all users who installed it.

The new Google Play Protect service suite is currently shipping to all devices with the Google Play app installed.

MoWare H.F.D ransomware

MoWare H.F.D is a ransomware cryptovirus that displays a window with a ransom message. The ransomware is a variant of HiddenTear and places the extension .H_F_D_locked after encryption. MoWare H.F.D ransomware might also distribute its payload file through spam emails, social media and file-sharing services. MoWare H.F.D ransomware makes entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

The MoWare H.F.D Ransomware is perceived as a very threatening Trojan because it is designed to encrypt 666 file types and support limiting the user’s control of the OS. A detailed report from cyber security researchers revealed that the MoWare H.F.D Ransomware could terminate access to the Registry Editor, the Task Manager, and the Command Line tool. Server administrators may have a hard time purging the MoWare H.F.D Ransomware from their network. The Trojan is associated with the ‘.H_F_D_locked’ string that is used a marker to inform users which files have been encrypted. For example, ‘Stars shack.png’ is renamed to ‘Stars shack.png.H_F_D_locked’ and the Windows Explorer does not generate a thumbnail for the photo. The encryption process may trigger error reports in database managers like MySQL, OracleDB and MongoDB. The ransom notification is generated as a program window named ‘MoWare H.F.D’ that says:

‘INFORMATION SECURITY
Your Personal Files has been Encrypted and Locked
Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
Caution: Removing of MoWare H.F.D will not restore access ti your encrypted files.
Frequently Asked Questions
What happened to my files ? understanding the issue
How can i get my files back ? the only way to restore your files
What should i do next ? Buy decryption key
Now you have the last chance to decrypt your files.
1. Buy Bitcoin (https://blockchain.info)
2. Send amount of 0.02 BTC to address: 15nbyuacLHfm3FrC5hz1nigNVqEbDwRUJq
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at heyklog@protonmail.com

You should NOT under any circumstances pay the ransom. Your files may not get restored, and nobody could give you a real guarantee. Moreover, giving money to cybercriminals will likely motivate them to create more ransomware or do other criminal activities. You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

LightningCrypt ransomware

LightningCrypt is a crypto-malware that uses a strong encryption cipher to wreck various data stored on the targeted computer. This file-encrypting virus appends .LIGHTNING file extension to each of the corrupted pictures, audio, video, and text files, documents, databases and other widely used records. As soon as all targeted data is locked, ransomware delivers a ransom note in LightningCrypt_Recover_Instructions.txt file and triggers a pop-up window.

The threatening letter from cyber criminals tells that trying to recover data or delete LightningCrypt ransomware will lead to the data loss. According to the ransom note, the only way to decrypt files is to transfer 0.17 Bitcoins to the provided address. Once the transaction is made, damaged files should be recovered immediately. However, chances that you will never get back your files are quite high.

Cybercriminals created this malicious program to swindle the money from innocent computer users. Thus, they may not bother about decrypting their files because no one can find them and punish for a unkept promise. LightningCrypt infects when you open an infected email attachment. As soon as a person clicks on such file, malware payload is dropped and executed on the system. Apart from encrypting data, ransomware also modifies the registry and makes some entries in order to run itself automatically when Windows OS is launched. What is more, this cyber infection makes computer’s system vulnerable and might open the backdoor to other malware.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

May Ransomware

Month of May we saw a new Ransomware called May Ransomware. Once infiltrated, May encrypts various data using AES-256 and RSA-4096 encryption algorithms and appends filenames with the “.locked” extension (for example, “sample.jpg” is renamed to “sample.jpg.locked”). May then creates a text file (“Restore_your_files.txt”) containing a ransom-demand message and places it in each folder containing encrypted files.

The message informs victims of the encryption and make ransom demands of 1 Bitcoin (approximately, $1750) in exchange for file decryption. As mentioned above, May employs AES and RSA cryptographies and, therefore, decryption without unique keys is impossible. All of the files that get encrypted will receive the same extension appended to them, and that is the ‘.maysomware’ and ‘.locked’ extension.

The criminals provide each of their victims with a personal identification number. Presumably, the hackers keep all the ID’s in some sort of database next to the unique data decryption keys. That’s why the victims are asked to submit this number along with the payment. Nevertheless, this does not mean that you should. On the opposite, you should avoid getting involved in any type of collaboration with the criminals and take all measures possible to remove May virus from your computer.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

Google Play Apps Found Serving Adware

Dozens of applications available on Google Play were found delivering a strain of adware capable of collecting users’ personal information.
With these apps installed, users will have a full screen advertisement popping up at regular intervals even when the app is closed. For example:
adware-popup
The program then downloads another .dex file from cloud.api-restlet.com, which collects the following information from the user’s device:

Email address for Google account
List of apps installed
IMEI identifier and android_id
Screen resolution
Manufacturer, model, brand, OS version
SIM operator
App installation source

To avoid detection, researchers also found XavirAd to use encrypted strings. Each class has its own decryption routine in the class constructor, and although the algorithm remains the same, the keys are different in each class.

Furthermore, the XavirAd library uses anti-sandbox technology to hide from dynamic analysis, stopping malicious behaviors once it detects it is running in a testing environment. It also checks the user’s email address for another safety net that it’s not run by a tester. If the email address contains the following strings, it will stop the action:
The following Google Play apps contain XavirAd, and users may want to avoid them:
apps-used-on-google-play

WanaCry Ransomware

WanaCrypt, or also known as WanaCry, is a new ransomware that wreaked havoc across the world last night, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames. “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. Download vulnerability patch from here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx .

People already infected with this ransomware will not get their files back. It means that no new infections will occur with yesterday’s strain. Currently, there’s no known method of breaking the ransomware’s encryption. The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort. We recommend using Max Total Security which can help you restore your file from daily back up module, Tools>Max Backup Utility. It can also detect and terminate this Ransomware from spreading further on your PC.

Max Total Security also has a newly introduced module in its tools treasure. Tools>Max Application Whitelist , this module allows you to completely protect your PC from any unauthorized, not welcome executables. In a normal day to day operation you know which programs you are going to use on your PC so just go to this tool and allow those applications whicih run from program file folder. System executables are already taken care off. From now onward , no other executable will be allowed to run on your PC, completely protecting it from any types of Trojans.

Amnesia ransomware

The Amnesia Ransomware is used to take the victims’ files hostage. Ransomware Trojans like the Amnesia Ransomware are designed to encrypt the victim’s files using a strong encryption algorithm. It encrypts victim’s files and refrains from accessing their sensitive and other personal files. It alters the names of all encrypted files with .amnesia extension. Then attacker demands a ransom in exchange for file decryption.
The files encrypted in the Amnesia Ransomware attack will no longer be readable and may show up as blank icons in the Windows Explorer. The Amnesia Ransomware targets a wide variety of files, generally looking for user generated files that may include spreadsheets, text documents, images, videos, music files, databases, etc. The Amnesia Ransomware delivers its ransom note in the form of a text file named ‘HOW TO RECOVER ENCRYPTED FILES.TXT.’ This file alerts the victim of the attack and demands the payment of a ransom to recover the infected files. The full text of the Amnesia Ransomware ransom note:

‘YOUR FILES ARE ENCRYPTED!
Your personal ID:
[RANDOM CHRACTERS]
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user’s unique encryption key.’

The best protection against the Amnesia Ransomware and similar ransomware threats is to have backups of all files on an independent memory device or the cloud, as well as a reliable security program like Max Total Security that is fully up-to-date and capable of intercepting the Amnesia Ransomware and similar threat attacks before they can start infection.