NotPetya and ExPetr

There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others. This ransom uses the contact details of and asks for a payment of $300 in Bitcoin. Petya’s initial distribution vector was a tainted update for an accounting software package popular in the Ukraine, from the legitimate MEDoc updater process.. The new ransomware has worm capabilities, which allows it to move laterally across infected networks.

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network. The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line:

C:\\Windows\\system32\\rundll32.exe\” \”C:\\ProgramData\\perfc.dat\”,#1 30

Other observed infection vectors include:

A modified EternalBlue exploit, also used by WannaCry.
The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.
IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code.

This ransomware attempts to encrypt all files, Unlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files. The AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.

After completing its encryption routine, this ransomware drops a text file called README.TXT in each fixed drive. The said file has the following text:

After execution, the ransomware infects the system at a low level, modifying the MBR and presenting the user with the following prompt:

After a reboot, instead of loading into the operating system installed on the computer, the user is faced with a fake Check Disk operation that, instead of actually checking your hard disk for issues, is actually encrypting files. This is done to buy the ransomware more time to encrypt all the relevant files on the system without being stopped by the user. The MFT (Master File Table) and the MBR are also encrypted. The MBR is overwritten to display the ransom note, which makes it impossible to boot the system without remediation—meaning users must either pay the culprit or be unable to access their system. The computer will then display a menacing black screen with red lettering listing the ransomware’s purpose and its demands. The attack affects users by encrypting anywhere from a single file to the entire system.


look out for Max Total Security new tool next week which is blocking all malware access. Alomg with its already launched tool whitelist make your PC malware proof forever.

PSCrypt ransomware

PSCrypt is a ransomware based on GlobeImposter 2.0, a ransomware strain that’s been around for more than a year, and has evolved from the Globe ransomware family. Ukrainian users have been aggressively targeted during the past month with PSCrypt after XData and NotPetya.

The PSCrypt Ransomware Trojan is distributed to users via spam emails loaded with a macro-enabled Microsoft Word file. The document may be proposed to users as an invoice, order confirmation and message from a friend on a social media service. Either way, the file acts as an installer that includes a script which is loaded in Windows and issues commands that result in the installation of the PSCrypt Ransomware.

During data encryption, it appends .pscrypt file extension and makes data impossible to open. Once it’s done, this crypto-malware creates and saves a Paxynok.html file into every folder that contains encrypted data, including the desktop. The ransom note carries victim’s personal identifier and a message from cyber criminals which says that all files have been encrypted by PSCrypt. The letter suggests that the victim must buy Bitcoins[2] at LocalBitcoins, Coinbase or XChange and then transfer a required sum to a provided Bitcoin wallet.

Cyber criminals ask to write them a letter via email address which is also provided in the ransom note. The crooks suggest that their “operator will give the further instructions.” According to the ransom note, victims have to pay 2500 hryvnia (approximately 96 US dollars) in order to decrypt corrupted files. The cyber criminals provide an unusual ransom payment method – paying the ransom via IBOX terminal.

Malware not only encrypts files but also makes the system vulnerable. It might make various modifications in the system, create new or delete existing registry entries, and even open the backdoor to other cyber threats. Thus, having this malicious program installed on a device might lead to even more serious problems. It goes without saying that you should first make a copy of data back up done by Max Total Security and then format PC. Reinstall new operating system and then do data recovery.

Ztorg Android malware

The Ztorg malware hid in apps on Google’s Play Store to send premium-rate SMS texts and delete incoming SMS messages on Android devices. The apps, called “Magic Browser” and “Noise Detector,” have a combined total of 60,000 user installations. What’s interesting about these apps is that they don’t conceal Ztorg in its traditional device-rooting form. Instead they hide an SMS-based version of the threat.

After a user installs them, the apps wait 10 minutes before connecting to their command-and-control (C&C) server. They then make two GET requests, the first of which includes the first three digits of the Android device’s International Mobile Subscriber Identity (IMSI). If the trojan receives data from the server, it responds with its second GET request containing the first five digits of the IMSI.


The second app, called “Noise Detector”, with the same malicious functionality, was installed more than 10,000 times.


Following these requests, the trojan receives a JSON file of “offers” carrying a string field called “url.” Some of these “url” fields actually contain a URL, in which case Ztorg displays content to the user. In the event the field carries a “SMS” substring, it sends an SMS message to the number provided, turns off the device sound, and starts blocking all incoming SMS text messages.

It means that these Trojans may not only open ad urls, or send Premium rate SMS, but also open web-pages with WAP billing and steal money from a user’s account. To hide these activities the Trojans turn off the device sound and delete all incoming SMS.

RabboLock Ransomware

The R4bb0l0ck file encoder is programmed to scan the machine for available memory disks, and network shared storage that has data associated with software like Microsoft Office, Libre Office, Adobe Acrobat Reader, MySQL, VLC Media Player and Calibre. The threat is reported to use the files ‘hidden-tear.exe,’ ‘R4bb0l0ck.exe,’ and ‘R4bb0l0ck Ransomware.bin’ to facilitate its operation. The RabboLock Ransomware Trojan is programmed to report the IP address, machine GUID, active user account name, and software configuration to its masters before it generates a pair of unique encryption and decryption keys. As all HiddenTear variants do, the R4bb0l0ck Trojan encodes the user’s files using the AES-256 cipher and proceeds to encode the decryption key using the RSA-1024 cipher, which prevents malware researchers from recovering the corrupted data.

This Trojan is another crpto malware which adds the ‘.R4bb0l0ck’ extension to the encoded files. The RabboLock Ransomware is a threat to regular PC users that may open documents attached to spam emails, and lead to a security breach. The programmers responsible for the RabboLock Ransomware have been reported to take advantage of macro scripts embedded into Microsoft Word documents and compromise remote computers.

Our recommendation is be careful while opening email attachments, or fake software products as many malware come bundled with them, or while browsing web sites where scripts may ask you for permission or download something. Immediately terminate such processes or browsers from task manager . Always use Max Total Security to back up your data and Restore when you need it.

$ucyLocker Ransomware

The $ucyLocker Ransomware is a file encoder Trojan that is designed to corrupt data on compromised devices and offers users a chance to recover their data. The authors of the $ucyLocker Ransomware used “VapeHacksLoader.exe” and “Loader-Private” to install the ransomware within the PC. After infecting the computer, this ransomware encrypts files stored in the system and adds .WINDOWS file extension to each of them. Then it outputs some text into a ransom note READ_IT.txt which the virus saves on the desktop. This virus aims to extort the victim as it asks 0.16 BTC in exchange for a decryption key.


Following message is shown by this ransomware:

Window 1:
‘Your computer is locked. Please do not close this window as that will result in serious computer damage
Click next for more information and payment on how to get your files back.

Window 2:
‘Your Files are locked. They are locked because you downloaded something with this file in it. This is ransomware. It locks your files until you pay for them. Before you ask, Yes we will give you your files back once you pay and our server confirms that you pay.

Window 3:
‘I paid, Now give me back my files
Send 0.16 to the address below

Do not pay this Ransomware any money as there is no guarantee that it will recover your files. Go to control panel, review and uninstall any unwanted programs that you see. Go to Task manager and delete any processes or services that are not familiar to you and from Max Total Security >Options menu remove any BHOS and Startup entries that you see. From browsers remove any add ins.

Restore all of your files from Max Total Security Restore option.

Executioner (Cellat) ransomware

Executioner (Cellat) is a ransomware-type virus encrypts various data and appends six random characters to a name of each encrypted file. For example, “sample.jpg” might be renamed to “sample.jpg.h80skl” or similar. Executioner (Cellat) then changes the desktop wallpaper and creates an HTML file (“Sifre_Coz_Talimat.html”), placing it in each folder containing encrypted files.

The wallpaper contains a ransom-demand message in Turkish stating that files are encrypted and that a ransom of the equivalent of $150 in Bitcoins must be paid to restore them. It is currently unknown whether Executioner (Cellat) uses symmetric or asymmetric cryptography. In any case, decryption without a unique key is impossible. Cyber criminals store this key on a remote server and victims are encouraged to pay a ransom to receive it. Research shows, however, that these people should never be trusted – cyber criminals often ignore victims once ransoms are submitted. Therefore, never attempt to contact these people or pay any ransom. There is a high probability that paying will not deliver any positive result and you will simply be scammed. Paying is equivalent to sending your money to cyber criminals – you simply support their malicious businesses. Unfortunately, there are no tools capable of restoring files encrypted by Executioner (Cellat). Therefore, you can only restore your files/system from a backup. We recommend using a Total Security approach such as Max Total Security to handle such nuisance.

The Executioner ransomware also known as Cellat ransomware is most likely spread via spam emails containing malicious email attachments, pdf attachments and Word documents prompting the user to enable Macros, etc. Most recent ransomware cases rely on this method of distribution because of its high success rates. Most users tend to be careless with suspicious emails which often lead to ransomware and malware infections.

However, there are other probable methods of infections that could be used by the creators of the Executioner crypto virus. A payload dropper which triggers its malicious script could be spread online. The ransomware may also be spreading the payload file on social media websites and file-sharing services. Another popular method of ransomware and malware distribution is via freeware packages where a program may be bundled with malicious programs.

To avoid infections of that kind, be extremely cautious when dealing with files downloaded from the Web as well as with emails sent by unknown or suspicious entities.

Fireball- a browser-hijacker Infects Nearly 250 Million Computers Worldwide

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS and 20% of corporate networks globally. A Chinese digital marketing company named Rafotech is behind this malware.

Dubbed Fireball, the malware is an adware package that takes complete control of victim’s web browsers and turns them into zombies, potentially allowing attackers to spy on victim’s web traffic and potentially steal their data.

However, Fireball also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.

For now, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either or to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000. Fireball also installs plug-ins and additional configurations to boost its advertisement activity. Fireball has turned out to be virulent, with an enormous infection rate. The biggest proportion of infections are in India, Brazil and Mexico, and there are more than 5.5 million in the US.

The good news is that Fireball can be removed from PCs by uninstalling the adware using Programs and Features list in the Windows Control Panel, or using the Mac Finder function in the Applications folder on Macs.
Max Total Security for windows and Mac Total Security detects and removes this malware.

The Judy Malware-Android

Up to 36.5 million Android devices may have been infected by malware that produced fake ad clicks and lined the pockets of its developers. 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp., “infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

Google “swiftly” removed the apps from Google Play after being alerted to their existence, but not before they “reached an astonishing spread between 4.5 million and 18.5 million downloads.

Once a user downloads a malicious app, it silently registers receivers which establish a connection with the [Command and Control] server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Keep your Android device protected with the updated Max Total Security for Android.

Despite apps going through periodic reviews, Google’s Play Store security system, named Bouncer, wasn’t able to pick up the malware’s malicious activity.
Google launches new Android security services

On May 17, during the Google I/O annual event, Google announced a new service called Google Play Protect. According to Google, this new service continuously scans all Android apps and user devices for malicious behavior and uses machine learning to detect any suspicious activity. Once it detects a malicious app, it removes it from the phones of all users who installed it.

The new Google Play Protect service suite is currently shipping to all devices with the Google Play app installed.

MoWare H.F.D ransomware

MoWare H.F.D is a ransomware cryptovirus that displays a window with a ransom message. The ransomware is a variant of HiddenTear and places the extension .H_F_D_locked after encryption. MoWare H.F.D ransomware might also distribute its payload file through spam emails, social media and file-sharing services. MoWare H.F.D ransomware makes entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

The MoWare H.F.D Ransomware is perceived as a very threatening Trojan because it is designed to encrypt 666 file types and support limiting the user’s control of the OS. A detailed report from cyber security researchers revealed that the MoWare H.F.D Ransomware could terminate access to the Registry Editor, the Task Manager, and the Command Line tool. Server administrators may have a hard time purging the MoWare H.F.D Ransomware from their network. The Trojan is associated with the ‘.H_F_D_locked’ string that is used a marker to inform users which files have been encrypted. For example, ‘Stars shack.png’ is renamed to ‘Stars shack.png.H_F_D_locked’ and the Windows Explorer does not generate a thumbnail for the photo. The encryption process may trigger error reports in database managers like MySQL, OracleDB and MongoDB. The ransom notification is generated as a program window named ‘MoWare H.F.D’ that says:

Your Personal Files has been Encrypted and Locked
Your documents, photos, databases and other important files have been encrypted with strongest encryption and locked with unique key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key.
Caution: Removing of MoWare H.F.D will not restore access ti your encrypted files.
Frequently Asked Questions
What happened to my files ? understanding the issue
How can i get my files back ? the only way to restore your files
What should i do next ? Buy decryption key
Now you have the last chance to decrypt your files.
1. Buy Bitcoin (
2. Send amount of 0.02 BTC to address: 15nbyuacLHfm3FrC5hz1nigNVqEbDwRUJq
3. Transaction will take about 15-30 minutes to confirm.
4. When transaction is confirmed, send email to us at

You should NOT under any circumstances pay the ransom. Your files may not get restored, and nobody could give you a real guarantee. Moreover, giving money to cybercriminals will likely motivate them to create more ransomware or do other criminal activities. You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.

LightningCrypt ransomware

LightningCrypt is a crypto-malware that uses a strong encryption cipher to wreck various data stored on the targeted computer. This file-encrypting virus appends .LIGHTNING file extension to each of the corrupted pictures, audio, video, and text files, documents, databases and other widely used records. As soon as all targeted data is locked, ransomware delivers a ransom note in LightningCrypt_Recover_Instructions.txt file and triggers a pop-up window.

The threatening letter from cyber criminals tells that trying to recover data or delete LightningCrypt ransomware will lead to the data loss. According to the ransom note, the only way to decrypt files is to transfer 0.17 Bitcoins to the provided address. Once the transaction is made, damaged files should be recovered immediately. However, chances that you will never get back your files are quite high.

Cybercriminals created this malicious program to swindle the money from innocent computer users. Thus, they may not bother about decrypting their files because no one can find them and punish for a unkept promise. LightningCrypt infects when you open an infected email attachment. As soon as a person clicks on such file, malware payload is dropped and executed on the system. Apart from encrypting data, ransomware also modifies the registry and makes some entries in order to run itself automatically when Windows OS is launched. What is more, this cyber infection makes computer’s system vulnerable and might open the backdoor to other malware.

You should keep an updated Anti Virus program such as Max Total Security which provides daily back and easy to restore mechanism in case you get infected with any of the Ransomware.