Losers ransomware

Losers ransomware is a recently discovered file-encrypting malware that uses a sophisticated encoding algorithm to lock various types of files stored on the affected computer. In order to prevent users from opening and using files, crypto-malware appends .losers file extension. Malware executable has been noticed spreading via free DVD burning software called Burn4Free. However, other distribution channels might be used as well. Apart from encrypting files, Losers might also create several system changes, modify Windows Registry, create new files or download other malicious content. It might use lots of RAM and CPU too. Thus, the computer becomes sluggish, programs might not work properly, and browser might open suspicious websites.

Just like other ransomware-type infections, Losers malware also delivers data recovery instructions and demands to pay the ransom. Currently, the virus downloads the HOWTODECRYPTFILES.txt file. Once the malicious Losers ransomware payloads are on the computer, it initiates the infection process. The ransomware ensures its sustainable presence on the PC by creating files and accessing different system libraries that allow it to perform various functions. The Losers ransomware associated files may plague essential Windows OS folders like:

%Temp%
%AppData%
%Windows%
%Local%
%Roaming%

Afterward, it initiates scanning process and encrypts all files set as its target utilizing the AES-256 encryption algorithm. The encrypted files are marked with the malicious extension .losers at the end of their names. Crypto viruses like Losers usually target commonly used and important file types – various multimedia files (audio, video, and photos), backup images, configuration files, office documents and more. Some of the captured samples were shown to encrypt a generic list of file type extensions.

The note of the Losers ransomware states that your files are encrypted and a ransom of 500 US dollars in the Bitcoin cryptocurrency should be paid to retrieve the decryption key. However, it is better to avoid any payments to criminals and try to recover encrypted files via alternative methods such as recovering from back up provided in total security products such as Max Total Security. There is no guarantee that criminals will send a working solution after the payment is transferred.

Kerkoporta Ransomware

The Kerkoporta Ransomware campaign relies on spam emails to deliver the threat payload. The Kerkoporta Ransomware is a dysfunctional file locker, which originates from Greece and is not capable of encrypting any files on the victim’s computer currently. However, according to code, the threat will modify the files by appending the ‘.encryptedsadly’ extension to their names. Although this might make some files a tad more difficult to access, it is an issue that can be resolved quickly by getting rid of the ‘.encryptedsadly’ extension and restoring the file’s original name.

After the Kerkoporta Ransomware renames all suitable files, it will spawn a ransom note, which urges the victim to pay a ransom sum of $100 by using either a Paysafecard or an Amazon Gift Card. The message of the attackers is seen in a new program window, and it is written in Greek, but also can be translated into English. Below the ransom message, the users will find a field to enter the code from the Amazon Card or Paysafecard, and that will unlock their computers supposedly.

Kerkoporta Ransomware uses numerous ways to extort money from innocent user and even scare user by saying, non payment of money may leads to severe data loss or even corrupt your system too. You will notice complete changes in entire system’s appearance and will even modify or delete valuable info and data. Beside that, it will mix up its code in the boot sector aiming to get added every time when ever PC get rebooted. Apart from encrypting data files it also cases several other issues in your computer. It makes your system very slow and also causes security issues by opening a backdoor for other viruses.

You may want to know that the Kerkoporta Ransomware is not a simple screen locker as it includes remote access capabilities, which means that a threat actor can access data, run and terminate programs on compromised machines. Computer users who might encounter the Kerkoporta Screen Locker are advised to sever access to the Internet and use an up-to-date anti-malware suite such as Max Total Security that can eliminate the Kerkoporta Ransomware.

BlueBorne Vulnerability

This week, it was discovered that there was a nasty collection of vulnerabilities that impact devices with Bluetooth connectivity. Armis Labs had discovered this attack vector was present on all major consumer operating systems (Windows, Linux, iOS, Android) no matter what type of device it is (desktop, laptop, smartphone, tablet, wearable, IoT). If you have a device with Bluetooth (except those using only Bluetooth Low Energy) that’s running an unpatched version of the software then it is vulnerable to BlueBorne. BlueBorne is a new malware that targets devices via Bluetooth and over five billion such devices globally are at risk.

Regardless of the security features on your device, the only way to completely prevent attackers from exploiting your device is to power off your device’s Bluetooth function when you’re not using it. Not putting it into an invisible or undetectable mode.

BlueBorne vulnerabilities are tracked under the following identifiers: CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, and CVE-2017-0785 for Android devices; CVE-2017-1000251 and CVE-2017-1000250 for Linux; CVE-2017-14315 for iOS, and CVE-2017-8628 on Windows. Three of these eight security flaws are rated critical and according to researchers at Armis — the IoT security company that discovered BlueBorne — they allow attackers to take over devices and execute malicious code, or to run Man-in-the-Middle attacks and intercept Bluetooth communications.

Furthermore, the vulnerabilities can be concocted into a self-spreading BlueTooth worm that could wreak havoc inside a company’s network or even across the world.

Google patched the flaws in its September Android Security Bulletin.

Windows versions since Windows Vista are all affected. Microsoft said Windows phones are not impacted by BlueBorne. Microsoft secretly released patches in July for CVE-2017-8628, but only today included details about the fixed vulnerability in September’s Patch Tuesday.

All Linux devices running BlueZ are affected by an information leak, while all Linux devices from version 3.3-rc1 (released in October 2011) are affected by a remote code execution flaw that can be exploited via Bluetooth. Samsung’s Tizen OS, based on Linux, is also affected.

All iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected, but the issue was patched in iOS 10.

New Arena CryptoMix Ransomware

A new variant of the CryptoMix ransomware that is appending the .arena extension to encrypted file names. When a file is encrypted by the ransomware, it will modify the filename and then append the .arena extension to encrypted file’s name. For example, a test file encrypted by this variant has an encrypted file name of EA1221EC8B516824060636CC280F0D0A.arena. This variant also contains 11 public RSA-1024 encryption keys that will be used to to encrypt the AES key used to encrypt a victim’s files.

Filenames associated with the ARENA Cryptomix Variant:
_HELP_INSTRUCTION.TXT
C:\ProgramData\[random].exe

Registry entries associated with the ARENA CryptoMix Variant:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”=”C:\ProgramData\[Random].exe””

Emails Associated with the ARENA Ransomware:
ms.heisenberg@aol.com

ARENA Ransom Note Text:
“All your files have been encrypted!
——————-
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
——————-

We recommend these safe security habits to follow:

  • Backup, Backup, Backup, yourself or use a good Anti virus product which will do this for you , such as Max Total Security
  • Do not open attachments if you do not know who sent them.
  • Turn on Email protection on provided by Anti-Virus such as Max Total Security.
  • Make sure all Windows updates are installed as soon as they come out, follow Max Total Security vulnerability scanner.
  • Also make sure you update all programs, especially Java, Flash, and Adobe Reader.
  • Use hard passwords and never reuse the same password at multiple sites.
  • Use a good Anti-Virus which protects your files from being encrypted in the first place, Max Total Security Max Crypto Monitor Tool does this for you

Connected and Autonomous Cars security concerns

By 2020, an estimated 188 million connected vehicles will be on the road according to Navigant Research. In 2025 partially autonomous cars and completely autonomous cars are expected to account for more than 15% of all cars shipped that year. This number will jump to 70% of all cars shipped in 2025, nearly 72 million cars annually.

For hackers, this evolution in automobile manufacturing and design means yet another opportunity to exploit vulnerabilities in insecure systems and steal sensitive data and/or harm drivers. Connected cars pose serious privacy concerns: When you get down to it, your car knows a lot about you: where you go, when you go, how long you are there, the route you took to get there, the way you drove to get there, the temperature of the cabin, what entertainment you engaged in, and how long you were chatting on the phone (if you use Bluetooth). If you’re using it, quite a detailed record of your life is being collected and potentially transmitted somewhere. The biggest risk of car cyber attacks is loss of lives.

The vehicle mobile phone hardware providing a connection to the on-board computer system is also vulnerable to malware being installed that could allow a thief to unlock the car remotely and steal it. This is serious as there is already talks of an app store for vehicle apps.

Harvey hurricane phishing scams

US-CERT (United states computer emergency readiness team) warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Harvey, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters.

US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

1. Do not follow unsolicited web links in email messages
2. Use caution when opening email attachments.
3. Keep antivirus and other computer software up-to-date.
4. Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number.
5. You can find trusted contact information for many charities on the BBB National Charity Report Index

It is recommended to use a trusted Anti virus such as Max Total Security with 24×7 technical support.

Bam! Ransomware

This ransomware stealthily infiltrates systems and encrypts various data. During encryption, this malware appends the “.bam!” extension to the name of each file (for example, “sample.jpg” is renamed to “sample.jpg.bam!”). Following successful encryption, Bam! changes the desktop wallpaper.

The new wallpaper contains a message that details the encryption and encourages users to buy decryption software. It is currently unknown whether Bam! uses symmetric or asymmetric cryptography, however, in any case, file decryption requires a unique key. This key is stored on a remote server controlled by cyber criminals. Users are encouraged to pay a ransom in exchange for a decryption tool with the key embedded within. To receive this, victims must supposedly contact cyber criminals via one of the email addresses provided.

bam-ransomware_en

The infection process of Bam! Ransomware virus begins with a simple click by the victim. This click can be on a file that is uploaded online, such as:
1. Fake installers of a program you may have sought for to download for free (media player, torrent downloader client, etc.)
2. Fake license activators or key generators that instead of activating a program, cause the infection.
3. In addition to this, the ransomware virus may be spread via what is known as mailspam or malicious e-mail spam. Such messages are often sent to victims under the pretext they are an important invoice, receipt from the bank or notification of suspicious bank activity. These e-mails may contain either an e-mail attachment that is actually the infection file.

Targeted files can be dropped in these locations with different names , usually common windows services:
%AppData% notepad.exe
%Temp% setup.exe
%Roaming% svchost.exe
%Common% update.exe
%System32% software-update.exe
%{userprofile}% random-alphanumeric.exe or some valid application name

It may also delete system backup and disable system recovery.

The .bam! file virus aims to attack only specific files on the infected computer, more importantly:

Archives.
Videos.
Audio files.
Virtual Drives.
Pictures.

Max Secure software has just launched cyrptomonitor tool which can completely prevent any cryptoransomware infecting your c and encrypting data. Get it from here Max Total Security

Scorpio ransomware

Scorpio Encrypts the files on the compromised computer asking it’s owner to pay in BitCoin in order to get them back. The files encrypted with the .scorpio file extension added after them. The ransom note remains the same as with the .scarab file virus.

Distribution Method: Spam Emails, Email Attachments, Executable files

Scorpio Ransomware marks the files encrypted by the attack adding a specific extension to the end of each file’s name. The Scorpio Ransomware also will encrypt the affected files’ names, replacing them with what appears to be a string of random characters. The

Scorpio Ransomware’s ransom note is contained in a text file with the following name: ‘IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT.’ The full text of the Scorpio Ransomware ransom note reads:
——————————————————————————————————————-
‘*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
—–BEGIN PERSONAL IDENTIFIER—–
**************************************
—–END PERSONAL IDENTIFIER—–
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: qa458@yandex.ru
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
hxxps://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’
——————————————————————————————————————-

We do not recommend you to follow cybercriminals’ instructions because they do not provide any guarantees to you, besides, think about the consequences – paying the ransom simply allows criminals to fund their further illegal projects. Unfortunately, the files affected by the Scorpio Ransomware attack are not recoverable. Your best bet is to recover all of your files using Max Total Security Backup/Restore tool if you had this software installed on your PC, IF you did not , it is never late to start using it now and have a total peace of mind.

Reyptson ransomware

Reyptson virus operates as crypto-threat capable of encrypting data with the AES cipher. After the process, the malware appends .REYPTSON file extension to the data. Since the virus is written in the Spanish users, the malware targets users of this country.

Furthermore, recent analysis has revealed the threat’s tendency to hack victims’ Thunderbird contact list and plague its contacts with fraudulent invoices messages. Now it clearly prefers Spanish users. They are expected to receive the biggest share of such emails. The pop-up and text file contain a ransom-demand message in Spanish stating that files are encrypted using the AES-128 algorithm and that victims must pay a ransom to restore them.

reyptson

Reyptson includes the ability to distribute itself through a spam email campaign conducted from the victim’s computer. It does this by checking if the Thunderbird email client is installed, and if it is, it will attempt to read the victim’s email credentials and contact list. If it is able to retrieve the contacts and credentials, it will begin a spam campaign to send out fake invoices to the victim’s contact list. These spam emails will have a subject line of Folcan S.L. Facturación and will contain a fake invoice. This invoice is written in Spanish and tells the recipient to click on a link to download an invoice. When the recipient clicks on the link, it will download a file called factura.pdf.rar, which contains an executable. This executable will infect the user with the ransomware when it is opened.

Hashes:
SHA256: e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41

Network Communication:
http://www.melvinmusicals.com/facefiles/
http://37z2akkbd3vqphw5.onion/?usuario=[user_id]&pass=[password]
http://37z2akkbd3vqphw5.onion.link/?usuario=[user_id]&pass=[password]

Files associated with the Reyptson Ransomware:
%AppData%\Spotify\
%AppData%\Spotify\SpotifyWebHelper\
%AppData%\Spotify\SpotifyWebHelper\dat
%AppData%\Spotify\SpotifyWebHelper\fin
%AppData%\Spotify\SpotifyWebHelper\Reyptson.pdf
%AppData%\Spotify\SpotifyWebHelper\Spotify.vbs
%AppData%\Spotify\SpotifyWebHelper\SpotifyWebHelper.exe

Registry Entries associated with the Reyptson Ransomware:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spotify Web Helper v1.0 %AppData%\Spotify\SpotifyWebHelper\Spotify.vbs

At this time there is no way to decrypt files encrypted by Reyptson, but if you have been using Max Total Security then you can restore your files from the back up. Very soon Max Total Security is launching a totla protection tool from any ransomware.

Random6 Ransomware

Random6 Ransomware virus can alter your system security through Spam Emails, Browser Redirects, Bundled Installers and Malware Downloader. Random6 Ransomware virus will first lock down all your files with . Then after, it will leave a ransom note on your computer in TEXT or HTML format to describe about the decryption method. It will also replace the desktop background with a ransom image. It can also disable your anti-virus to make you helpless. It can block your Firewall security and make your system an easy target for other threats. It will force you to pay ransom money to rescue your files.

the Random6 Ransomware is programmed to alter not only the file’s structure but its name as well. The encoded files are recognized easily by the base64 encoded string and six random characters as a file extension. The cyber parasite is reported to target images, text, eBooks, PDFs, databases, and work-related files, which may be of great importance to the user. The Random6 Ransomware may run as [random 9-chars].exe in the Task Manager and change the desktop background of the compromised system. Due to the fact that users find unique extensions appended to the encoded files, the format of the ransom notification is a bit different as well. The Trojan is programmed to delete its traces after the encoding process is completed and it leaves the ransom request on the user’s desktop as ‘RESTORE-.[random 6-char ext]-FILES.txt.’ The file offers the following text:

‘Your files are Encrypted!
For decryption send letter on email filesrestore@tutanota.com in letter attach your Personal ID.
If email don’t works, register here: http://bitmsg.me, send letter to BM-NBazWh9xNVf2SgmvLv8pc3Uc9CCXtXMu
With your Personal ID and email for contacts.
After you send payment to given BTC adress in answer, you will get your files restored.
Your Personal ID:
[128 RANDOM CHARACTERS]’

To prevent ransomware-type infections, be very cautious when browsing the Internet. Never open files received from suspicious emails, download software from unofficial sources, or use third party tools to update installed software. In addition, use a legitimate anti-virus/anti-spyware suite.

At this time the only option is to restore your files from the back up . Use Max Total Security to protect your PC and easily back and Restore your files. Get 24×7 complimentary support if you have any issues due to malware.