Merry Christmas Ransomware

Nine days after Christmas, a new ransomware named “Merry Christmas” was discovered operating in the wild and later a new variant was found which transmitted the DiamondFox malware as a secondary infection. DiamondFox malware is a versatile malware that includes modules that recruit bots for distributed  denial of service attacks, steal credit card data from POS systems, pilfer browser passwords, open remote desktop connections and others.

The malware generates its ransom note as a file named “YOUR FILES ARE DEAD.hta” and inserts it in every folder wherein documents are encrypted. The note contains instructions directing victims to contact the criminals through telegram or email. The ransomware also communicates with the command-and-control server from the infected machine and transfers information including username, computer name, running processes, installed programs, local time and hardware information.

Palo Alto Networks and three other researchers are credited with discovering two variants of the Merry Christmas malware. MalwareHunterTeam discovered the DiamondFox secondary infection by the ransomware.


Educative Koovla Ransomware variant found

cryptoransomware-encryption-300x205Self-styled ransomware hunter, Michael Gillespie has discovered an unusual Koovla ransomware variant which offers decryption keys for a read up of two articles on how to stay secured from malware.

The ransomware once downloaded states:
“In order for me to decrypt your files you must read the two articles below. Once you have click the ‘Get My Decryption Key’ button.

Then enter in your decryption key and click the ‘Decrypt My Files’ button. Eventually all of your files will be decrypted 🙂

If the timer reaches zero then all of your personal files will be deleted because you were too lazy to read two articles.

So User do you want to play a game?”

One of the security articles is from Google’s security team on how to stay safe online while the other is from Bleeping Computer explaining the Jigsaw variant.

SEMTA Caught in ransomware attack

cryptoransomware-encryption-300x205The San Francisco Municipal Transportation Agency (SEMTA) was infected with a HDDCryptor ransomware over the weekend. Employee computers were presented with the message “You Hacked, ALL Data Encrypted. Contact For Key ( ID:681, Enter”.

The attack was made using Mamba which rewrites a computer’s Master Boot Record. Local reports indicates that critical assets like payroll, a MySQL database and email servers, as well as employees’ personal computers may have been compromised in the attack.

The attack is estimated to cost the agency US$559,000 each day until resolved.

Hutchinson Community Foundation hit by Data Breach & Ransomware

The Hutchinson Community Foundation in Kansas was hit with a data breach and ransomware attack.

How many victims? Nearly 5,500

What type of information? Personal and financial information.

What happened? On September 19, officials at the foundation found ransomware on the foundation’s network server after clicking on a file and finding its contents encrypted. Upon further investigation they found that intruders had done more than infect their files with ransomware and had actually made it into the foundation’s systems.

What was the response? The foundation didn’t pay the ransom and was able to restore all of their data from backup files however; officials said the data breach could have allowed attackers to access the databases and files on its servers and declared the incident a breach. Not all of the donor records contained sensitive information, but those who had their financial information and other sensitive data stored on the compromised serves are being notified of the incident and will be offered up to a year of free identity monitoring services. Continue reading

CryPy ransomware found by Avast analyst.

cryptoransomware-encryption-300x205Jakub Kroustek, Avast analyst disclosed a new ransomware variant written in Python. The ransonware named CryPy encrypts every file with a unique key. Kapersky researchers have also found that CryPy uses a vulnerable web server based in Isarel as its command and control center.

But security professionals are of the view that encrypting each file is a disadvantage to the malware’s performance and also noting that the C&C method used is very simple. The malware’s operation could be terminated by blocking the source IP address.

Despite it’s flaws, the sophisticated encryption used is difficult to decrypt and potentially will defeat common anti-ransomware softwares.

University of Calgary -$20,000 paid in Ransomware attack

cryptoransomware-encryption-300x205The University of Calgary has been hit by a ransomware attack. The university was forced to pay $20,000 to their attackers to get the  decryption key that will enable them access their files again. The attack took place in May.

Linda Dalgetty, the University’s VP of finances and services on the decryption procedure, said:

“The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time,”

“The university is working with various experts in this field, and because this was a criminal act, the Calgary Police Service has been brought in as part of the investigation. As this is an active investigation, we are not able to provide further details on the nature of the attack, specific actions taken to address it, or how or if decryption keys will be used.”

Ransomware attacks have become a major tool in the hands of Black Hat Hackers in recent times, usually targeting large organizations like hospitals and schools.

DMA Locker 4.0 Gets Helping Hand from Neutrino EK

Security researchers are warning that the DMA Locker ransomware is now being distributed via the Neutrino exploit kit, potentially exposing users globally to mass infections.

First discovered in January this year, the variant was originally “too primitive to even treat it seriously,” according to Malwarebytes researcher ‘Hasherzade.”

More complexity was added in later versions but it was still possible to decrypt locked data.

However, now version 4.0 has been released, and it has fixed that security hole as it looks to gear up for mass distribution.

Usability improvements have been added, such as the option to decrypt a test file, and a link to a tutorial. The process of purchasing a key and payment is supported via dedicated panel now – with no human interaction required as per previous versions.

Continue reading