Connected and Autonomous Cars security concerns

By 2020, an estimated 188 million connected vehicles will be on the road according to Navigant Research. In 2025 partially autonomous cars and completely autonomous cars are expected to account for more than 15% of all cars shipped that year. This number will jump to 70% of all cars shipped in 2025, nearly 72 million cars annually.

For hackers, this evolution in automobile manufacturing and design means yet another opportunity to exploit vulnerabilities in insecure systems and steal sensitive data and/or harm drivers. Connected cars pose serious privacy concerns: When you get down to it, your car knows a lot about you: where you go, when you go, how long you are there, the route you took to get there, the way you drove to get there, the temperature of the cabin, what entertainment you engaged in, and how long you were chatting on the phone (if you use Bluetooth). If you’re using it, quite a detailed record of your life is being collected and potentially transmitted somewhere. The biggest risk of car cyber attacks is loss of lives.

The vehicle mobile phone hardware providing a connection to the on-board computer system is also vulnerable to malware being installed that could allow a thief to unlock the car remotely and steal it. This is serious as there is already talks of an app store for vehicle apps.

Harvey hurricane phishing scams

US-CERT (United states computer emergency readiness team) warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.

US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

1. Do not follow unsolicited web links in email messages
2. Use caution when opening email attachments.
3. Keep antivirus and other computer software up-to-date.
4. Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number.
5. You can find trusted contact information for many charities on the BBB National Charity Report Index

It is recommended to use a trusted Anti virus such as Max Total Security with 24×7 technical support.

Bam! Ransomware

This ransomware stealthily infiltrates systems and encrypts various data. During encryption, this malware appends the “.bam!” extension to the name of each file (for example, “sample.jpg” is renamed to “sample.jpg.bam!”). Following successful encryption, Bam! changes the desktop wallpaper.

The new wallpaper contains a message that details the encryption and encourages users to buy decryption software. It is currently unknown whether Bam! uses symmetric or asymmetric cryptography, however, in any case, file decryption requires a unique key. This key is stored on a remote server controlled by cyber criminals. Users are encouraged to pay a ransom in exchange for a decryption tool with the key embedded within. To receive this, victims must supposedly contact cyber criminals via one of the email addresses provided.


The infection process of Bam! Ransomware virus begins with a simple click by the victim. This click can be on a file that is uploaded online, such as:
1. Fake installers of a program you may have sought for to download for free (media player, torrent downloader client, etc.)
2. Fake license activators or key generators that instead of activating a program, cause the infection.
3. In addition to this, the ransomware virus may be spread via what is known as mailspam or malicious e-mail spam. Such messages are often sent to victims under the pretext they are an important invoice, receipt from the bank or notification of suspicious bank activity. These e-mails may contain either an e-mail attachment that is actually the infection file.

Targeted files can be dropped in these locations with different names , usually common windows services:
%AppData% notepad.exe
%Temp% setup.exe
%Roaming% svchost.exe
%Common% update.exe
%System32% software-update.exe
%{userprofile}% random-alphanumeric.exe or some valid application name

It may also delete system backup and disable system recovery.

The .bam! file virus aims to attack only specific files on the infected computer, more importantly:

Audio files.
Virtual Drives.

Max Secure software has just launched cyrptomonitor tool which can completely prevent any cryptoransomware infecting your c and encrypting data. Get it from here Max Total Security

Scorpio ransomware

Scorpio Encrypts the files on the compromised computer asking it’s owner to pay in BitCoin in order to get them back. The files encrypted with the .scorpio file extension added after them. The ransom note remains the same as with the .scarab file virus.

Distribution Method: Spam Emails, Email Attachments, Executable files

Scorpio Ransomware marks the files encrypted by the attack adding a specific extension to the end of each file’s name. The Scorpio Ransomware also will encrypt the affected files’ names, replacing them with what appears to be a string of random characters. The

Scorpio Ransomware’s ransom note is contained in a text file with the following name: ‘IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT.’ The full text of the Scorpio Ransomware ransom note reads:
Your files are now encrypted!
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address:
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
* Also you can find other places to buy Bitcoins and beginners guide here:
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’

We do not recommend you to follow cybercriminals’ instructions because they do not provide any guarantees to you, besides, think about the consequences – paying the ransom simply allows criminals to fund their further illegal projects. Unfortunately, the files affected by the Scorpio Ransomware attack are not recoverable. Your best bet is to recover all of your files using Max Total Security Backup/Restore tool if you had this software installed on your PC, IF you did not , it is never late to start using it now and have a total peace of mind.

Reyptson ransomware

Reyptson virus operates as crypto-threat capable of encrypting data with the AES cipher. After the process, the malware appends .REYPTSON file extension to the data. Since the virus is written in the Spanish users, the malware targets users of this country.

Furthermore, recent analysis has revealed the threat’s tendency to hack victims’ Thunderbird contact list and plague its contacts with fraudulent invoices messages. Now it clearly prefers Spanish users. They are expected to receive the biggest share of such emails. The pop-up and text file contain a ransom-demand message in Spanish stating that files are encrypted using the AES-128 algorithm and that victims must pay a ransom to restore them.


Reyptson includes the ability to distribute itself through a spam email campaign conducted from the victim’s computer. It does this by checking if the Thunderbird email client is installed, and if it is, it will attempt to read the victim’s email credentials and contact list. If it is able to retrieve the contacts and credentials, it will begin a spam campaign to send out fake invoices to the victim’s contact list. These spam emails will have a subject line of Folcan S.L. Facturación and will contain a fake invoice. This invoice is written in Spanish and tells the recipient to click on a link to download an invoice. When the recipient clicks on the link, it will download a file called factura.pdf.rar, which contains an executable. This executable will infect the user with the ransomware when it is opened.

SHA256: e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41

Network Communication:

Files associated with the Reyptson Ransomware:

Registry Entries associated with the Reyptson Ransomware:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spotify Web Helper v1.0 %AppData%\Spotify\SpotifyWebHelper\Spotify.vbs

At this time there is no way to decrypt files encrypted by Reyptson, but if you have been using Max Total Security then you can restore your files from the back up. Very soon Max Total Security is launching a totla protection tool from any ransomware.

Random6 Ransomware

Random6 Ransomware virus can alter your system security through Spam Emails, Browser Redirects, Bundled Installers and Malware Downloader. Random6 Ransomware virus will first lock down all your files with . Then after, it will leave a ransom note on your computer in TEXT or HTML format to describe about the decryption method. It will also replace the desktop background with a ransom image. It can also disable your anti-virus to make you helpless. It can block your Firewall security and make your system an easy target for other threats. It will force you to pay ransom money to rescue your files.

the Random6 Ransomware is programmed to alter not only the file’s structure but its name as well. The encoded files are recognized easily by the base64 encoded string and six random characters as a file extension. The cyber parasite is reported to target images, text, eBooks, PDFs, databases, and work-related files, which may be of great importance to the user. The Random6 Ransomware may run as [random 9-chars].exe in the Task Manager and change the desktop background of the compromised system. Due to the fact that users find unique extensions appended to the encoded files, the format of the ransom notification is a bit different as well. The Trojan is programmed to delete its traces after the encoding process is completed and it leaves the ransom request on the user’s desktop as ‘RESTORE-.[random 6-char ext]-FILES.txt.’ The file offers the following text:

‘Your files are Encrypted!
For decryption send letter on email in letter attach your Personal ID.
If email don’t works, register here:, send letter to BM-NBazWh9xNVf2SgmvLv8pc3Uc9CCXtXMu
With your Personal ID and email for contacts.
After you send payment to given BTC adress in answer, you will get your files restored.
Your Personal ID:

To prevent ransomware-type infections, be very cautious when browsing the Internet. Never open files received from suspicious emails, download software from unofficial sources, or use third party tools to update installed software. In addition, use a legitimate anti-virus/anti-spyware suite.

At this time the only option is to restore your files from the back up . Use Max Total Security to protect your PC and easily back and Restore your files. Get 24×7 complimentary support if you have any issues due to malware.

NotPetya and ExPetr

There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of and asks for a payment of $300 in Bitcoin. Petya’s initial distribution vector was a tainted update for an accounting software package popular in the Ukraine, from the legitimate MEDoc updater process.. The new ransomware has worm capabilities, which allows it to move laterally across infected networks.

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network. The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line:

C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30

Other observed infection vectors include:

A modified EternalBlue exploit, also used by WannaCry.
The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code.

This ransomware attempts to encrypt all files, Unlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files. The AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.

After completing its encryption routine, this ransomware drops a text file called README.TXT in each fixed drive. The said file has the following text:

After execution, the ransomware infects the system at a low level, modifying the MBR and presenting the user with the following prompt:

After a reboot, instead of loading into the operating system installed on the computer, the user is faced with a fake Check Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files. This is done to buy the ransomware more time to encrypt all the relevant files on the system without being stopped by the user. The MFT (Master File Table) and the MBR are also encrypted. The MBR is overwritten to display the ransom note, which makes it impossible to boot the system without remediation—meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware’s purpose and its demands. The attack affects users by encrypting anywhere from a single file to the entire system.


look out for Max Total Security new tool next week which is blocking all malware access. Alomg with its already launched tool whitelist make your PC malware proof forever.

PSCrypt ransomware

PSCrypt is a ransomware based on GlobeImposter 2.0, a ransomware strain that’s been around for more than a year, and has evolved from the Globe ransomware family. Ukrainian users have been aggressively targeted during the past month with PSCrypt after XData and NotPetya.

The PSCrypt Ransomware Trojan is distributed to users via spam emails loaded with a macro-enabled Microsoft Word file. The document may be proposed to users as an invoice, order confirmation and message from a friend on a social media service. Either way, the file acts as an installer that includes a script which is loaded in Windows and issues commands that result in the installation of the PSCrypt Ransomware.

During data encryption, it appends .pscrypt file extension and makes data impossible to open. Once it’s done, this crypto-malware creates and saves a Paxynok.html file into every folder that contains encrypted data, including the desktop. The ransom note carries victim’s personal identifier and a message from cyber criminals which says that all files have been encrypted by PSCrypt. The letter suggests that the victim must buy Bitcoins[2] at LocalBitcoins, Coinbase or XChange and then transfer a required sum to a provided Bitcoin wallet.

Cyber criminals ask to write them a letter via email address which is also provided in the ransom note. The crooks suggest that their “operator will give the further instructions.” According to the ransom note, victims have to pay 2500 hryvnia (approximately 96 US dollars) in order to decrypt corrupted files. The cyber criminals provide an unusual ransom payment method – paying the ransom via IBOX terminal.

Malware not only encrypts files but also makes the system vulnerable. It might make various modifications in the system, create new or delete existing registry entries, and even open the backdoor to other cyber threats. Thus, having this malicious program installed on a device might lead to even more serious problems. It goes without saying that you should first make a copy of data back up done by Max Total Security and then format PC. Reinstall new operating system and then do data recovery.

Ztorg Android malware

The Ztorg malware hid in apps on Google’s Play Store to send premium-rate SMS texts and delete incoming SMS messages on Android devices. The apps, called “Magic Browser” and “Noise Detector,” have a combined total of 60,000 user installations. What’s interesting about these apps is that they don’t conceal Ztorg in its traditional device-rooting form. Instead they hide an SMS-based version of the threat.

After a user installs them, the apps wait 10 minutes before connecting to their command-and-control (C&C) server. They then make two GET requests, the first of which includes the first three digits of the Android device’s International Mobile Subscriber Identity (IMSI). If the trojan receives data from the server, it responds with its second GET request containing the first five digits of the IMSI.


The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.


Following these requests, the trojan receives a JSON file of “offers” carrying a string field called “url.” Some of these “url” fields actually contain a URL, in which case Ztorg displays content to the user. In the event the field carries a “SMS” substring, it sends an SMS message to the number provided, turns off the device sound, and starts blocking all incoming SMS text messages.

It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.

RabboLock Ransomware

The R4bb0l0ck file encoder is programmed to scan the machine for available memory disks, and network shared storage that has data associated with software like Microsoft Office, Libre Office, Adobe Acrobat Reader, MySQL, VLC Media Player and Calibre. The threat is reported to use the files ‘hidden-tear.exe,’ ‘R4bb0l0ck.exe,’ and ‘R4bb0l0ck Ransomware.bin’ to facilitate its operation. The RabboLock Ransomware Trojan is programmed to report the IP address, machine GUID, active user account name, and software configuration to its masters before it generates a pair of unique encryption and decryption keys. As all HiddenTear variants do, the R4bb0l0ck Trojan encodes the user’s files using the AES-256 cipher and proceeds to encode the decryption key using the RSA-1024 cipher, which prevents malware researchers from recovering the corrupted data.

This Trojan is another crpto malware which adds the ‘.R4bb0l0ck’ extension to the encoded files. The RabboLock Ransomware is a threat to regular PC users that may open documents attached to spam emails, and lead to a security breach. The programmers responsible for the RabboLock Ransomware have been reported to take advantage of macro scripts embedded into Microsoft Word documents and compromise remote computers.

Our recommendation is be careful while opening email attachments, or fake software products as many malware come bundled with them, or while browsing web sites where scripts may ask you for permission or download something. Immediately terminate such processes or browsers from task manager . Always use Max Total Security to back up your data and Restore when you need it.