Hermes Ransomware

Once infiltrated, Hermes encrypts files using RSA-2048 cryptography. This malware does not append extensions to the encrypted files. Following successful encryption, Hermes creates an HTML file containing a ransom-demand message (“DECRYPT_INFORMATION.html”), placing in each folder containing encrypted files. It also provides a UNIQUE_ID_DO_NOT_REMOVE file that victims are encouraged to attach to email messages when communicating with the cyber criminals responsible for this malware. When Hermes is executed, it will also use a User Account Control, or UAC, bypass called Eleven, or Elevation by environment variable expansion, to delete a victim’s Shadow Volume Copies and backup files.


Hermes uses a UAC bypass to execute a batch file called shade.bat. This batch file, shown below, will not only delete the computer’s shadow volumes, but will also delete backup images that may be present on the computer. It does this to prevent a victim from restoring encrypted files from a backup.


The backup images that are deleted are ones that match the following filenames:

*.VHD, *.bac, *.bak, *.wbcat, *.bkf, Backup*.*, backup*.*, *.set, *.win, *.dsk

When the Hermes Ransomware is executed, it will copy itself to C:\Users\Public\Reload.exe and execute itself. It will then launch a batch file called system_.bat, which is used to delete the original installer as shown below.


Files associated with the Hermes Ransomware
C:\Eleven\Microsoft\Windows\Start Menu
C:\Eleven\Microsoft\Windows\Start Menu\Programs
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
Registry entries associated with the Hermes Ransomware
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper C:\users\User\Desktop\DECRYPT_INFORMATION.html
SHA256: 059aab1a6ac0764ff8024c8be37981d0506337909664c7b3862fc056d8c405b0

Use Max Total Security to prevent damage to your files and save yourself from paying ranson to such Malware.

Cyber Splitter VBS Ransomware

The ‘Cyber Splitter Vbs’ Ransomware is a ransomware Trojan that is being used to coerce PC users to spend large amounts of money by taking their files hostage. The ‘Cyber Splitter Vbs’ Ransomware uses an approach that is similar to what we’ve seen with numerous other ransomware threats that use a similar attack strategy.

Essentially, the ‘Cyber Splitter Vbs’ Ransomware will encrypt the victim’s files, making them unusable, and then demand that the victim pays large amounts of money to recover access to the encrypted files. PC security analysts are against paying the ‘Cyber Splitter Vbs’ Ransomware’s ransom.

The most plausible explanation is that CyberSplitter 2.0 was sent to your inbox. As we mentioned, ransomware doesn’t rely on your active cooperation. It uses your distraction instead. For instance, hackers often attach the virus to some corrupted, fake email. All you have to do is open it. Voila. You end up downloading a nasty infection on your own computer. Keep in mind those emails appear to be perfectly harmless. They might be disguised as job applications or emails from a shipping company. The goal is to trick you into clicking them open. To prevent infiltration, delete emails/messages from unknown senders.

Prevention is indeed the easier option. Stay away from illegitimate torrents, websites and software bundles. We would also recommend that you avoid third-party pop-ups. Ransomware might get spread online via exploit kits as well.


The only way to protect yourself is keep an updated good total security with anti virus on your PC which can take back upo every day and let you restore if you are infected such Max Total Security

CryptoShield 1.0 Ransomware

A new CryptoMix, or CrypMix, variant called CryptoShield 1.0 Ransomware has been discovered. The infected files may be sent out via a variety of e-mail templates which may be spammed to the victim, claiming they are containing an invoice or other important document that has to be opened. Usually, most inexperienced users tend to open the attachments.

After the malicious attachment is opened, the virus gets right down to business. It may create multiple malicious files, also known as modules and each of those files is responsible for different activities. The files may be dropped under different names in the following Windows folders: Appdata, temp, Roaming, user profile, common and system 32. File names could be notepad.exe, setup.exe, patch.exe, update.exe, software-update.exe, svchost.exe etc.

After dropping the files, the CryptoShield 1.0 virus may create registry entries regval and regdata in these key locations:

HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run or RunOnce

When CryptoShield starts encrypting files using AES-256 encryption, encrypt the filename using ROT-13, and then append the .CRYPTOSHIELD extension to the encrypted file. For example, a file called test.jpg would be encrypted and renamed as grfg.wct.CRYPTOSHIELD. You can decrypt the filenames by using any ROT-13 encryptor, such as

In each folder that CryptoShield encrypts a file, it will also create ransom notes named # RESTORING FILES #.HTML and # RESTORING FILES #.TXT.

During this process, the ransomware will issue the following commands to disable the Windows startup recovery and to clear the Windows Shadow Volume Copies as shown below.

cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet
“C:\Windows\System32\cmd.exe” /C net stop vss

CryptoShield will then display a fake alert stating that there was an application error in Explorer.exe. Though, you can see spelling mistakes such as “momory” and an odd request that you should click on the Yes button in the next Window “for restore work explorer.exe”. Once you press OK on the above prompt, you will be presented with a User Account Control prompt, which asks if you wish to allow the command “C:\Windows\SysWOW64\wbem\WMIC.exe” process call create “C:\Users\User\SmartScreen.exe” to execute. This explains why the previous alert was being shown; to convince a victim that they should click on the Yes button in the below UAC prompt.


File Associated with the CryptoShield CrypMix Variant:
Registry Entries Associated with the CryptoShield CrypMix Variant:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Windows SmartScreen” = “C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe”

Kepp a good Anti Virus such as Max Total Security installed and update daily and scan once a day to keep from Malware.

“Turla” Group Uses New JavaScript Malware

Turla, also known as Snake / Uroburos / Venomous Bear and KRYPTON is a Russian-speaking APT group that has been active since at least 2007. Its activity can be traced to many high-profile incidents, including the 2008 attack against the US Central Command, more recently, the attack against RUAG, a Swiss military contractor. The Turla group has been known as an agile, very dynamic and innovative APT, leveraging many different families of malware, satellite-based command and control servers and malware for non-Windows OSes.


The document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs (MoFA) in Cyprus. Based on the name of the document (National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc, it is presumed it may have been sent from the Qatar Ambassador’s secretary to the MoFA, possibly indicating Turla already had control of at least one system within Qatar’s diplomatic network.

The document contains a malicious macro, very similar to previous macros used by Turla in the past to deliver Wipbot, Skipper, and ICEDCOFFEE. However, the macro did contain a few modifications to it, mainly the XOR routine used to decode the initial JavaScript and the use of a “marker” string to find the embedded payload in the document.

This JS will begin by copying itself to the appropriate folder location based on the version of Windows running:



c:\Documents and Settings\\Application Data\Microsoft\Windows\mailform.js

Next, it will write to the following registry key:

Key: HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\mailform
Value: wscript.exe /b “ NPEfpRZ4aqnh1YuGwQd0”

After establishing its persistence, it will then execute a series of commands on the victim system using “cmd.exe /c” and store them to a file named “~dat.tmp”, in the same folder where “mailform.js” is located.

Network Communications

With the victim info stored in encrypted form in memory, the JavaScript then will perform the necessary callback(s) to the C2 servers which are hard coded in the payload. The addresses seen in this payload were as follows:


It should be noted that the above domains appear to have been compromised by the actor based on the locations of the PHP scripts.
It is advised that users disable macros in their enterprise and not allow the user to enable said content unless absolutely necessary. Also scan with Max Total Security everyday and update daily to get latest malware signatures.

HummingBad Returns-Android Malware

HummingBad, an Android malware estimated to have touched over 85 million devices worldwide, was recently found in 46 new applications, 20 of which had even made their way into the official Play Store, passing Google’s security checks. ‘HummingBad’

Android malware briefly returns as approved ‘Whale Camera’ Play Store app. HummingBad, the malware that surfaced in February 2016 and earned its creators up to $300,000 per month in ad fraud revenue.
In terms of Android malware, HummingBad is the biggest player active today, accounting for 72% of all mobile infections.

HummingWhale works by showing unwanted ads to its victims, but when users move in to close the ad, the malware opens a virtual machine and installs the advertised app inside it. This way HummingBad authors earn revenue in pay-per-install affiliate programs and install as many apps on infected devices without polluting the device’s application list.

Furthermore, HummingWhale gained another feature, which was the ability to post reviews and ratings on the Google Play Store on behalf of infected users, a tactic used to earn an extra revenue or give a boost to other malicious apps.


Max Total Security-Android detects this Malware.

DeriaLock Ransomware Active on Christmas

The Derialock Ransomware is a piece of code that will lock your computer, and once your computer is locked they will take action on it and will demand access to computer users paying $ 30 US.

Ransomware families generally fall in one of two categories: screen lockers (which prevent access to your computer but leave your files alone) and crypto lockers (which allow you to use your computer but encrypt all your files).

DeriaLock is from the first category, of ransomware families that lock your screen and prevent users from accessing their files or applications but leaving the data intact.

Instructions states that the victim can purchase a key to unlock the computer by talking through Skype named ‘Arizonacode’.
The Derialock Ransomware uses hardwareID from the victim to check the lock needs to be given, which means that the ransomware infections exchange information to Cyber Crime. Once launched into execution, DeriaLock will take the computer’s MachineName identifier and generate an MD5 hash. Since malware authors often infect themselves by accident, the DeriaLock source code includes a hard-coded MD5 hash. After checking the MD5 locally, the ransomware then contacts its command and control (C&C) server and retrieves the most current version of itself, saving the file at:

C:\users\appdata\roaming\microsoft\windows\start menu\programs\startup\SystemLock.exe

DeriaLock will then run this file, which now passes all checks and starts the screen-locking behavior by showing a fullscreen window with the following ransom note:
The screen locker window also includes two buttons that when clicked, provide translations of the ransom note in German and Spanish. Only the German translation button works.
The good news is that DeriaLock requires the .NET Framework 4.5 to be installed, which means it won’t work on Windows XP machines.

1 Million Google Accounts Breached by Gooligan Malware

Gooligan has compromised and stolen login tokens from over one million Android devices, the malware was first seen in 2014, and initially, it didn’t include the ability to steal Google login tokens.

Since it first appeared, the malware has been detected by different security firms under different names such as Ghost Push, MonkeyTest, and Xinyinhe. In Google reports, you’ll find it referenced as Ghost Push. This malware uses malicious apps hosted third-party app stores to infect users. Once Gooligan has a foothold on an infected device, it contacts an online command and control (C&C) server and downloads a rootkit package that gains boot persistence and also includes four or five Android exploits that root the device.
Anyone running an older version of the Android operating system, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) is most at risk, which represents nearly 74% of Android devices in use today. After getting root privileges, Gooligan installs apps from the Google App Store as part of affiliate pay-per-install schemes, gives fraudulent ratings to apps on the Google App Store, and installs adware that clicks on ads for the malware author’s profit.
This is what Gooligan does :

1.Steal a user’s Google email account and authentication token information
2.Install apps from Google Play and rate them to raise their reputation
3.Install adware to generate revenue

Appendix A: List of fake apps infected by Gooligan

Perfect Cleaner
WiFi Enhancer
Html5 Games
memory booster
Flashlight Free
memory booste
Touch Beauty
Small Blue Point
Battery Monitor
UC Mini
Shadow Crush
Sex Photo
Hip Good
Memory Booster
phone booster
Wifi Master
Fruit Slots
System Booster
Dircet Browser
Puzzle Bubble-Pet Paradise
Light Browser
Clean Master
YouTube Downloader
Best Wallpapers
Smart Touch
Light Advanced
Beautiful Alarm
Detecting instrument
GPS Speed
Fast Cleaner
Blue Point
Compass Lite
Fingerprint unlock
Assistive Touch
Sex Cademy
Wifi Speed Pro
Kiss Browser
Chrono Marker
Slots Mania
Multifunction Flashlight
So Hot
Swamm Browser
Sexy hot wallpaper
Wifi Accelerate
Simple Calculator
Daily Racing
Talking Tom 3
Hot Photo
Music Cloud

Right now the only way to get rid of this Malware is to re-flash your device.

Cerber Ransomware 5.0 is Out

With the release of yet another version of the notorious Cerber ransomware, malware authors have proven that so far they cannot be stopped. The version of the malware (5.0.1) is detected in parallel with Locky’s latest update using the .zzzzz file extension, suggesting competition between the two ransomware makers. Ransomware attacks have continued to increase and users who have had their files encrypted by such viruses are requested to pay a hefty ransom fee in order to get their files back. Anyone who has been infected by the ransomware should not pay the ransom amount.

Cerber ransomware may use .hta, .html or .htm files with which it can cause an infection via a spam message sent out to the users, infections are also being caused via malicious web links uploaded online and sent out as a message on either social media or other places that favor third-party web links. Once installed, Cerber 5.0 will encrypt the victim’s data and then demand a ransom payment in bitcoins to decrypt the files.

– The .secret extension is added to the list of files types targeted for encryption.
– The ransomware will now skip 640 bytes, compared to 512 bytes in previous versions, when encrypting a file.
– The minimum file size that Cerber will encrypt a file is now 2,560 bytes, compared to 1,024 bytes in previous versions. This means that any file that is smaller than 2,560 bytes will not be encrypted.

In addition, there were some changes in the IP ranges that used to send statistical UDP packets. The ranges are:,, and

Like always, we close this blog with suggestion that users of any computing devices should be careful before downloading any software and decline any free software. Also keep a good anti virus program such as Max Total Security and have peace of mind with advance detection and daily data backup (just in case some ransomware makes it to your files!).

Kangaroo ransomware

The Kangaroo ransomware is the latest ransomware from the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda.

Also, due to the ransomware terminating the Explorer processes when started and preventing the launching of Task Manager, it essentially locks a user out of Windows until they pay the ransom or remove the infection. Though the screenlocker can be disabled in Safe Mode or by pressing the ALT+F4 keyboard combination, for many casual computer users this would essentially prevent them from using their computer.

Following successful infiltration, Kangaroo encrypts files and appends their names with the “.crypted_file” extension (for example, “sample.jpg” becomes “sample.jpg.crypted_file”). Once files are encrypted, Kangaroo opens a pop-up message and creates identical text files beside each encrypted file. The text file names are associated with the encrypted files (for example, “sample.jpg.crypted_file.Instructions_Data_Recovery.txt”). The pop-up message and text files contain an identical ransom-demand message.

Unlike most other ransomware infections, this family is not spread through exploit kits, cracks, compromised sites, or Trojans, but instead by the developer manually hacking into computers using Remote Desktop. When the dev hacks into a computer and executes the ransomware, a screen will be shown that contains the victim’s unique ID and their encryption key.kangaroo

When the developer clicks on Copy and Continue, the information will be copied into the Windows clipboard so that developer can save it. The ransomware will then begin to encrypt the computer’s files and will append the .crypted_file extension to an encrypted file’s name. This ransomware also performs the strange practice of creating an individual ransom note for every file that is encrypted. These ransom notes will be in the format of filename.Instructions_Data_Recovery.txt. For example, test.jpg.Instructions_Data_Recovery.txt.

When finished Kangaroo will display a lock screen that displays a fake screen implying that there is a critical problem with the computer and that the data was encrypted. It then provides instructions on how to contact the developer at to restore the data.kangaroo1
This ransomware will also configure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “LegalNoticeText” registry value so that it shows a legal notice that a user must read before they are shown the Windows login prompt. This guarantees that a victim, or a computer’s administrator, will see the ransom note the next time they login.

At this time, there is no way to decrypt the encrypted files, as I have always cautioned the readers to keep a good Anti-Virus Total security program such Max Total Security to prevent and recover data once attacked by Malware.

Android.MulDrop.924 malware has more than one million installs on Google Play Store

More than a million users have downloaded a particularly sneaky Android trojan that’s available on the official Google Play Store. Android.MulDrop.924 is an application that allows to use several user accounts in games and other applications. However, its main function is to covertly download and display advertisements.
Part of the Trojan’s functionality is implemented by means of the modules kxqpplatform.jar and main.jar. They are encrypted and embedded into the PNG image icon.png that is located in a resource catalog. Once launched, the Trojan retrieves these components into its local directory in the /data section and loads them to the memory.

The module main.jar contains several advertising plug-ins designed to generate income. One of them is the Trojan Android.DownLoader.451.origin that covertly downloads applications and invites a user to install them. The module is also responsible for advertising.

In another version of Android.MulDrop.924, the module main.jar contains one more malicious plug-in that is detected as Android.Triada.99. It downloads exploits and uses them to get root privileges. In addition, this module can download and install various software programs.
If your device is infected and locked then activate Safe mode, install and scan with Max Total Security for Android to get rid of this and many other Malware prevailing Android devices..