AngryKite ransomware

Once infiltrated, AngryKite encrypts various data and renames compromised files using the “[random_characters].NumberDot” pattern. For example, “sample.jpg” might be renamed to “G4ag0-3tga.NumberDont”. Following successful encryption, AngryKite opens a pop-up window containing a fake error message.

The message states that a malware infection has been detected and that files are encrypted. To remove the malware, victims are encouraged to call a toll-free phone number (“1-855-545-6800″) provided. Victims are then supposedly guided through the malware removal process. In fact, this is a scam.

Text presented within AngryKite pop-up:

WARNING: SYSTEM MAY HAVE FOUND anonymous encryption on your computer. You would not be able to access the files on your computer. Your System May have Found (2) Malicious Viruses Rootkit.Encrypt & Trojan.Spyware Your Personal & Financial information MAY NOT BE SAFE Your system has encryption ransomware which may permanently encrypt your data Please call immediately to avoid further damage Toll free 1-855-545-6800.

Right now no methods are available to get rid of this malware other than restoring yur files from backup. It is recommended to keep an updated copy of Max Total Security which takes daily back up of files on your PC.

Chrysaor Malware on Android

Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS. Chrysaor is a highly sophisticated malware most likely used to carry out advanced espionage campaigns.

Chrysaor doesn’t exploit a vulnerability. Instead, Google believes attackers coax specifically targeted individuals to download the Chrysaor malware onto their device. “Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS,” wrote Google.

Upon installation, the app uses Framaroot rooting techniques to find security holes that allow the attackers to escalate privileges and break Android’s application sandbox, Google said. “If the targeted device is not vulnerable to these exploits, then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges,” according to Google.

Chrysaor is also very careful when it comes to being detected and is programmed to uninstall itself if there’s any chance it has been found, it will remove itself from the phone if the SIM MCC ID is invald, an ‘antidote’ file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself.
Chrysaor had a very low volume of installs outside of Google Play, fewer than 3 dozen installs of Chrysaor on victim devices. These devices were located in the following countries:
chrysaor

To ensure you are fully protected against Potentially Harmful Applications (PHAs) and other threats, we recommend these 5 basic steps:

1. Install apps only from reputable sources: Install apps from a reputable source, such as Google Play.
2. Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
3. Update your device: Keep your device up-to-date with the latest security patches.
4. Locate your device: Practice finding your device with Android Device Manager because you are far more likely to lose your device than install a PHA.
5. Keep a good Anti Virus or Android Total Security software installed on your device like Max Total Security .

Fluffy-TAR Ransomware

This malware is designed to encrypt files and append the “.lock75″ extension to associated filenames (for example, “sample.jpg” might be renamed to “sample.jpg.lock75″). After infiltrating the system (and then encrypting files), Fluffy-TAR displays a pop-up window and places the “fluffy.png” (image of an animation) file on the desktop.

fluffy

The pop-up window contains a ransom-demand message available in English and French. It is stated that files are encrypted and decryption requires a unique key. To receive this key, victims must pay a ransom of .039 Bitcoin (approximately, $45).

The Trojan may run as ‘Fluffy-TAR.exe’ and ‘Fluffy.exe’ from the Temp and AppData directories on infected machines. We should note that the executable can be configured to use random names that are unique for every compromised system. The ‘critical security warning’ window supports bilingual text and a five-day countdown timer.
English part of text presented within Fluffy-TAR first pop-up:
—————————————————————————-
ATTENTION REQUIRED – This is not an ad or a promotional content but a critical security warning about your system. Click “English” above for more details.
—————————————————————————
Depending on the selection made by the victim, the Fluffy-TAR Ransomware would load the appropriate version of the ransom request. The first slide within the ‘ATTENTION REQUIRED’ window offers the following message:
—————————————————————————–
‘What’s happening?
Oh no! Fluffy-TAR has encrypted some of your files! It means that they are not lost, but cannot be used until decrypted. They are “locked”, you could say. If you see a file which name ends with “lock75”, it means this file is encrypted. The process is easily reversible but requires a key.
What do I do?
To get your files back, you must buy the decryption key. This payment must be done in Bitcoins, a cryptographic currency. Bitcoin is becoming more and more accessible and nowadays, it is really easy to use Bitcoins.
See the online interface (button below) for a more detailed introduction to bitcoins. To get your files back, please send exactly (or more if you want) 0.039 Bitcoins to this address, BEFORE the countdown below ends:
[RANDOM CHARACTERS]
Uppercase/lowercase matter! Make sure you send to the right address! (you can scan the QR code to copy it)
After sending the payment, wait an hour then click the “retrieve key automatically” button below. The software will then receive the key and decrypt ALL encrypted files. Without the key, it is impossible to decrypt your files.
Without the proper payment, it is impossible to get the key. When the countdown reaches zero, you will lose all encrypted documents.
Please note: if you have an antivirus, disable it now if you don’t want to lose your data.’
—————————————————————————–

However, this might be just a usual lie. In fact, you should run the security tools and remove Fluffy TAR virus right away. Some less elaborate threats need the uninterrupted period of time to finish encrypting data. Likewise, if you suspect any signs, extremely slow system process, odd User Account Control messages, restart the device.

As far as encrypted files and data is concerned, you need to restore it from the back up from an external device or if you have a good Total Security software similar to Max Total security which take secure daily back up on your PC which malware can not infect.

HappyDayzz ransomware

Happydayzz is a ransomware-type which will effectively put an end to your happy days online. Once infiltrated, Happydayzz encrypts various files stored on the system. During this process, it renames encrypted files using the “[blackjockercrypter@gmail.com].[22_random_characters].happydayzz” pattern. For example, “sample.jpg” might be renamed to “[blackjokercrypter@gmail.com].GlM8-AiM04-Lq6mHG1i0L0.happydayzz”. Following successful encryption, Happydayzz creates an HTA file (“How To Recover Encrypted Files.hta”), placing it in each folder containing encrypted files.

The HTA file contains a message informing users of the encryption. To restore these files, victims are encouraged to pay a ransom. To submit payment, you are instructed to contact the creators of HappyDayzz either via Skype address of nsyaneksab.aked or blackjockercrypter@gmail.com. During this conversation, hackers will reveal the exact amount of bitcoins that they are requesting as the fee for decryption.

HappyDayzz virus is deployed and executed on the victim’s computers with the help of malicious spam email attachments. The hackers typically work under the names of popular banks, government institutions, companies or social media networks just to get more people get involved in their scam. Please keep in mind that though hackers use Happydayz@india.com and blackjockercrypter@gmail.com email addresses to contact their victims, they won’t use the same addresses when spreading spam mail around. So, you must be very careful and vigilant when navigating through your email and downloading attachments.

The only way to get rid of this ransomware is to restore your PC to a previously known configuration or format it.
Data loss can be prevented if you were using Max Total Security which takes file backups everyday.Make sure to copy the back up fies on an external device before you format your pc. You can also access 24×7 free technical support that comes by being a user of Max Total Security to help you in such situations.

Zorro Ransomware

Zorro virus is a new file-encrypting malware that uses symmetric cryptography. Once infiltrated, this malware encrypts files and appends the “.zorro” extension to the name of each compromised file. For example, “sample.jpg” is renamed to “sample.jpg.zorro”. Zorro then creates a text file [“Take_Seriously (Your saving grace).txt”], placing it on the desktop wallpaper.

The most likely reason to get infected with Zorro is email spam. The crooks behind the virus rely on sending out malicious emails. These letters are masked to look like they were sent from a legit company like Amazon, PayPal, BestBuy or a similar entity. The goal of Zorro is to take over your computer and lock its important files. The virus will target audio files, documents, project files, images, music, game saves, just about everything that has the potential to be valuable to the user. The files get locked by an encryption process.
zorro1

Best bet to recover your files is to restore from backup and keep an updated version of Max Total Security
on your PC.

Damage Ransomware

Damage ransomware has been spotted at the end of February 2017, and it seems to be a file encrypting ransomware, which enters victims computer system using tricky methods, then runs a scanner that detects target file types and encodes all of these files with cryptography algorithm. Such damage to data is very dangerous because usually files cannot be restored without a special decryption key, which criminals send out to their secret servers.
The virus adds .damage file extension to encrypted files and creates a ransom note[3] called damage@india.com[random chars].txt. It seems to be one of the many ransomware viruses that provide an email address and invite the victim to get in touch with criminals via email.
The virus infections are initiated mainly through direct hack attempts. The Damage Ransomware attempts to intrude into the target servers by using RDP (Remote Desktop Protocol) attacks and exploiting various weaknesses in an automated way.
The RDP intrusions are done by using an IP scanner to analyze of the standard port 3389 is available and if there is a service open.

Other ways to distribute the malware include the following:

Email Spam Campaigns – The hackers use email spam messages to spread the viruses either in hyperlinks or directly attach them to the messages. In recent times the hackers use many different kinds of social engineering tactics.
Software Installers – Infected bundle installers are often used to spread dangerous viruses. They are often found on illegal download sites and BitTorrent trackers.
Malicious Redirects – All sorts of browser hijackers and malicious redirects are used to deliver virus executables to the victims.
To aoid suh Malware infections:
Follo better anti-spam measures – don’t download shady attachments
Don’t give your email to sites with pirated content
Never install suspicious ZIP or RAR files from spammed emails
Get an anti-malware tool, and the one with a back up feature like Max Total Security.

Unlock26 Ransomware

Unlock26 can infect your pc when you open a malicious email attachment without thinking about possible consequences. Scammers can send you legitimate-looking files such as documents, program updates, archives, and other file types and convince you to open them by stating that they contain some relevant information that you should review immediately. Please, never open files sent to you by unknown individuals, no matter what the email message says. Ransomware can be distributed along with pirated software or installed to unsuspecting victims using exploit kits, too.
Once infiltrated, Unlock26 encrypts files and appends filenames with the “.locked-Nyd” extension. For example, “sample.jpg” is renamed to “sample.jpg.locked-Nyd”. Unlock26 then creates an HTML file (“ReadMe-Nyd.html”), placing it in each folder containing encrypted files.

The “ReadMe-Nyd.HTML” file contains a message informing victims of the encryption and encourages them to visit one of the links provided for further information. Unlock26’s website claims that, to restore files, victims must pay a ransom of 0.06 (6.e-002) Bitcoins (approximately, $70).

To protect your computer from malicious attacks, secure the system with proper anti-malware tools and a company which can provide you with 24×7 support free of cost to help you in such situations such as Max Total Security.

Hermes Ransomware

Once infiltrated, Hermes encrypts files using RSA-2048 cryptography. This malware does not append extensions to the encrypted files. Following successful encryption, Hermes creates an HTML file containing a ransom-demand message (“DECRYPT_INFORMATION.html”), placing in each folder containing encrypted files. It also provides a UNIQUE_ID_DO_NOT_REMOVE file that victims are encouraged to attach to email messages when communicating with the cyber criminals responsible for this malware. When Hermes is executed, it will also use a User Account Control, or UAC, bypass called Eleven, or Elevation by environment variable expansion, to delete a victim’s Shadow Volume Copies and backup files.

eleven

Hermes uses a UAC bypass to execute a batch file called shade.bat. This batch file, shown below, will not only delete the computer’s shadow volumes, but will also delete backup images that may be present on the computer. It does this to prevent a victim from restoring encrypted files from a backup.

shade_bat

The backup images that are deleted are ones that match the following filenames:

*.VHD, *.bac, *.bak, *.wbcat, *.bkf, Backup*.*, backup*.*, *.set, *.win, *.dsk

When the Hermes Ransomware is executed, it will copy itself to C:\Users\Public\Reload.exe and execute itself. It will then launch a batch file called system_.bat, which is used to delete the original installer as shown below.

system__bat

Files associated with the Hermes Ransomware
C:\Eleven\Comet.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\
C:\Eleven\Microsoft\
C:\Eleven\Microsoft\Windows\
C:\Eleven\Microsoft\Windows\Caches\
C:\Eleven\Microsoft\Windows\Caches\cversions.2.db
C:\Eleven\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{73E271C2-E043-4985-A165-1B09233B848B}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Caches\{E0B113B6-B2EA-4F79-9F6D-C7F51DA96E93}.2.ver0x0000000000000001.db
C:\Eleven\Microsoft\Windows\Start Menu
C:\Eleven\Microsoft\Windows\Start Menu\Programs
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools
C:\Eleven\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
C:\Users\Public\Reload.exe
C:\Users\Public\shade.bat
C:\Users\Public\shade.vbs
C:\Users\Public\system_.bat
Registry entries associated with the Hermes Ransomware
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\allkeeper C:\users\User\Desktop\DECRYPT_INFORMATION.html
Hashes:
SHA256: 059aab1a6ac0764ff8024c8be37981d0506337909664c7b3862fc056d8c405b0

Use Max Total Security to prevent damage to your files and save yourself from paying ranson to such Malware.

Cyber Splitter VBS Ransomware

The ‘Cyber Splitter Vbs’ Ransomware is a ransomware Trojan that is being used to coerce PC users to spend large amounts of money by taking their files hostage. The ‘Cyber Splitter Vbs’ Ransomware uses an approach that is similar to what we’ve seen with numerous other ransomware threats that use a similar attack strategy.

Essentially, the ‘Cyber Splitter Vbs’ Ransomware will encrypt the victim’s files, making them unusable, and then demand that the victim pays large amounts of money to recover access to the encrypted files. PC security analysts are against paying the ‘Cyber Splitter Vbs’ Ransomware’s ransom.

The most plausible explanation is that CyberSplitter 2.0 was sent to your inbox. As we mentioned, ransomware doesn’t rely on your active cooperation. It uses your distraction instead. For instance, hackers often attach the virus to some corrupted, fake email. All you have to do is open it. Voila. You end up downloading a nasty infection on your own computer. Keep in mind those emails appear to be perfectly harmless. They might be disguised as job applications or emails from a shipping company. The goal is to trick you into clicking them open. To prevent infiltration, delete emails/messages from unknown senders.

Prevention is indeed the easier option. Stay away from illegitimate torrents, websites and software bundles. We would also recommend that you avoid third-party pop-ups. Ransomware might get spread online via exploit kits as well.

remove-CyberSplitter

The only way to protect yourself is keep an updated good total security with anti virus on your PC which can take back upo every day and let you restore if you are infected such Max Total Security

CryptoShield 1.0 Ransomware

A new CryptoMix, or CrypMix, variant called CryptoShield 1.0 Ransomware has been discovered. The infected files may be sent out via a variety of e-mail templates which may be spammed to the victim, claiming they are containing an invoice or other important document that has to be opened. Usually, most inexperienced users tend to open the attachments.

After the malicious attachment is opened, the virus gets right down to business. It may create multiple malicious files, also known as modules and each of those files is responsible for different activities. The files may be dropped under different names in the following Windows folders: Appdata, temp, Roaming, user profile, common and system 32. File names could be notepad.exe, setup.exe, patch.exe, update.exe, software-update.exe, svchost.exe etc.

After dropping the files, the CryptoShield 1.0 virus may create registry entries regval and regdata in these key locations:

HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run or RunOnce

When CryptoShield starts encrypting files using AES-256 encryption, encrypt the filename using ROT-13, and then append the .CRYPTOSHIELD extension to the encrypted file. For example, a file called test.jpg would be encrypted and renamed as grfg.wct.CRYPTOSHIELD. You can decrypt the filenames by using any ROT-13 encryptor, such as rot13.com.

In each folder that CryptoShield encrypts a file, it will also create ransom notes named # RESTORING FILES #.HTML and # RESTORING FILES #.TXT.

During this process, the ransomware will issue the following commands to disable the Windows startup recovery and to clear the Windows Shadow Volume Copies as shown below.

cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet
“C:\Windows\System32\cmd.exe” /C net stop vss

CryptoShield will then display a fake alert stating that there was an application error in Explorer.exe. Though, you can see spelling mistakes such as “momory” and an odd request that you should click on the Yes button in the next Window “for restore work explorer.exe”. Once you press OK on the above prompt, you will be presented with a User Account Control prompt, which asks if you wish to allow the command “C:\Windows\SysWOW64\wbem\WMIC.exe” process call create “C:\Users\User\SmartScreen.exe” to execute. This explains why the previous alert was being shown; to convince a victim that they should click on the Yes button in the below UAC prompt.

crypto

File Associated with the CryptoShield CrypMix Variant:
C:\ProgramData\MicroSoftWare\
C:\ProgramData\MicroSoftWare\SmartScreen\
C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe
%AppData%\Roaming\1FAAXB2.tmp
[encrypted_file_name].CRYPTOSHIELD
# RESTORING FILES #.HTML
# RESTORING FILES #.TXT
Registry Entries Associated with the CryptoShield CrypMix Variant:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Windows SmartScreen” = “C:\ProgramData\MicroSoftWare\SmartScreen\SmartScreen.exe”

Kepp a good Anti Virus such as Max Total Security installed and update daily and scan once a day to keep from Malware.