WannaCry 2.0 ransomware that evades the kill switch, is here to wreak havoc

WannaCry 2.0 ransomware that evades the kill switch, is here to wreak havoc

WannaCry 2.0 ransomware ready for more destruction as it learns to combat the kill switch

Never in history has a ransomware brought more than half the world’s computers to a standstill. On Friday, May 12, 2017, the computers around the world were crippled by the biggest ransomware attack known as “WannaCry” (“WanaCrypt0r 2.0” or “WannaCrypt” or “WCry”) that targeted Microsoft’s Windows run PCs/laptops and ATMs. This malware attack that infected around 57,000 computers the world over, in the beginning, has now increased to over 2,00,000 in 150 countries including Russia and the United Kingdom and is considered as one of the most widespread cyber attacks in history. The attack spreads by multiple methods, including phishing emails and on unpatched systems as a computer worm.

Soon, after the initial release of the ransomware took place on May 12, 2017, a U.K.-based researcher going by the name of MalwareTech happened to accidentally discover a “kill switch” hardcoded in the malware while trying to analyze the attack. The researcher then registered a domain which the malware seems to ping before infection. This stopped the attack spreading as a worm and acted like a kill switch, thereby instructing the malware to not proceed with the encryption of files, making it inactive.

However, the creators behind “WannaCry” have quickly evolved around this domain-based kill switch and altered their code to remove the somewhat bizarre error and restart their ransomware campaign. Security researchers have discovered variants of the Windows malware that either doesn’t have a kill switch, or which ping to a different domain than the one discovered by the researcher.

Microsoft had released a software patch (MS17-010) for the security holes on March 14, 2017. Those who applied critical Microsoft Windows patches released in March were protected against this attack, while those who did not are affected, according to the company. Hence, Microsoft has now not only encouraged users to download the fix they released for the vulnerability back in March but also created security patches for several now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.

One expects the problem to get worse in this week, as many businesses’ computers might get exposed to unpatched systems making it vulnerable to attack. For those who are not affected, we strongly recommend such users to ensure that their systems are updated with the latest antivirus and anti-malware software along with patches released by Microsoft at the earliest, in order to keep the ransomware attack at bay.

Source: Neowin

read more

The Locky and Zepto Evolving Threats – Advanced Forms of Ransomware

Locky and Zepto, The Two Deadly Ransomware

Martin Beltov

Two of the most popular and devastating ransomware variants have emerged this year – Locky and Zepto, the notorious malware that have plagued computer users and business owners worldwide. Both threats are extremely dangerous and use all popular distribution methods. Fortunately, Zepto removal instructions have recently been released.

The situation with Locky is quite different – this ransomware has shown that it can evolve and change. In fact, cyber security experts no longer speak of Locky as a single type, but a whole family of related threats that are spread across the world. The most recent discovery is that Locky infects with DLL files now.  This feature is known to the expert community as “The Locky Trick” due to the fact that the ransomware hides its signature and makes it harder to detect for the anti virus and anti spyware software solutions.

Locky Troubles

Locky has grown to become one of the most popular and devastating ransomware strains in the last year. The threat was identified in February 2016 by the leading security vendors and experts and it has been used successfully against individual users, companies, and even government institutions. This malware uses a strong encryption method that renders all brute force decryption attempts useless.

Notable Locky targets so far include world-leading universities, major hospitals across all continents, government facilities and large corporations. Campaigns against individual users tend to be automated, while the most sophisticated attacks are set up against bigger targets.

The ransomware is spread mainly through spam email messages. Most of the analyzed campaigns so far indicate that all of them share the same content and structure. The Locky executable is sent either as an attachment or as a malicious message. Phishing attacks with the malware are becoming more common as the criminals utilize various social engineering schemes to fool the user into downloading and executing the file. The malicious attachments often contain infected Microsoft Office Documents (Word documents and Excel spreadsheets) that contain obfuscated Visual Basic Script Macros. When they are run by the user, the Locky infection is activated.

The mechanism of action follows this generic pattern:

  1. The Locky binary is copied to the %TEMP% location and renamed as exe, mimicking the Windows system process to avoid user detection. The file then removes several flags from its properties to bypass the “File Downloaded from the Internet” notification.
  2. The binary sets up other defense mechanisms such as renaming its binary files and supplements (depending on the strain).
  3. Registry entries are added to the victim host to restart the encryption process in case of a restart or shutdown of the computer.
  4. Locky deletes all local Volume Shadow Copies to prevent data restoration.
  5. The remote C&C servers are contacted and the infection is reported.
  6. The encryption process is started. A unique set of keys is used for each infected host. This means that manual decryption without the private key is impossible.

The Locky ransomware encrypts 164 of the most commonly used file extensions across 11 categories such as: Microsoft Office documents, media files, archives, image files and etc. The encrypted files are renamed with .locky extension and a ransomware note with the name “_Locky_recover_instructions.txt”  is created in every folder that contains an affected file. Ransom instructions are also generated in a BMP file that is set as the wallpaper. The ransomware works on all connected drives, including removable storage and RAM disks.

The ransom payment website is located in the TOR network and the criminals expect their fee paid in BitCoin. Depending on the strain and encrypted files, the decryptor may cost the user different amounts of money.The usual minimum, however, is at least 0.5 BitCoins.

Locky has spawned a whole family of related ransomware that are spread across the Web. Some of them use the malware’s name or add other letters or combinations. Security experts have even warned computer users that there are counterfeit Locky variants that impersonate its behavior.

Unfortunately, there is no public decryptor available for Locky. As the ransomware deletes the Shadow Volume Copies on the victim computer, a safe backup of all sensitive data is the only way to restore access to the user files at this moment.

Enter Zepto

Zepto is another popular ransomware that is actually a variant of Locky. Most of the Zepto attacks are carried out by spam emails containing the malicious binary. The malware itself is activated by a Javascript code that is placed inside the malicious executable. The encryption process is hidden from the users view. This is extremely dangerous as the ransomware does not provide any indication of its presence and the victims are alerted upon successful encryption.

Like Locky, Zepto also adds a registry entry to the Microsoft Windows systems to ensure that it will autorun upon system start. Zepto follows the behavior of Locky in terms of its infection encryption technique. The files are renamed using the .zepto file extension and like Locky, it deletes all Shadow Volume copies of the victim machine.

As Zepto is a variant of Locky and uses the same ciphers and techniques, there is no public decryptor available yet.

Major Zepto attacks were carried out against individual users and companies in June this year.

Locky and Zepto Are Part of Every Hacker Arsenal

The Locky and Zepto ransomware have spawned numerous discussions and analyses by both security vendors and their customers. Their popularity has urged the criminal developers to include them in exploit kits and add new features that add even more damage potential.

The newer Locky variants can infect users by DLL files, which makes it harder to detect by security software. Custom packers, layers of encryptions and other methods are also among the favorite mechanisms that malicious users utilize against the target victims.

Security researchers estimate that the total number of ransomware damages number 209 million US dollars in the first half of 2016. One of the leading causes of financial losses for many companies and organizations has been the cyber security issues, especially ransomware attacks. Many recent vulnerabilities also allow for malware such as Locky and Zepto to infiltrate target systems or even whole networks.

In August one of the biggest security breaches has occurred at Banner Health, a leading healthcare institution. 3.7 million customers were affected by the intrusion attack. The security analysis revealed that the majority of hospitals often don’t encrypt their sensitive data – patient files, clinical research, financial documents and other critical information.

Ransomware can produce collateral damage against the infected machines that include: modification of system configuration, permissions change, spying on users and even locking them out of their computers. As the ransomware distribution methods continue to expand, so are the dangers of contracting a new strain of Locky or Zepto.

Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion.


read more

TorrentLocker Ransomware variation targets Japanese users

TorrentLocker Ransomware variation targets Japanese users

TorrentLocker Ransomware variation written to specifically target Japanese users

A new variation of the TorrentLocker ransomware has been found by security experts at Symantec being exploited in the wild. This is the first reported instance of a ransomware specifically targeting users in Japan. Though Japan is not new to ransomware, never before has any cyber criminal made such an attempt to attack Japanese users so specifically. Symantec researchers say that this ransomware is a localized variant of TorLocker. The malware encrypts files with certain file extensions on the compromised computer and demands that the user pays in order to decrypt the files.  Symantec researchers have also confirmed that there are multiple variants of this particular Japanese ransomware.

About TorrentLocker

This new type of ransomware is a sibling of CryptoLocker and CrptoWall ransomware and uses communicates with its command and control server using Tor anonymiser network.  TorrentLocker uses themes and naming from CryptoLocker and CryptoWall ransomware, but is very different at the code level and believed to be a new strain of ransomware. The malware first connects to a command and control (C&C) server over secure communications and exchanges a certificate before encrypting the malware. The malware uses the Rijndael algorithm for file encryption. This is a symmetric cipher and will use a password either stored locally or retrieved from the remote attackers’ server for encryption.

The attack

Ransomware generally spread through as many mediums as possible trying to infect unsuspecting users, however the most preferred medium for the cyber criminals is spear phishing. The malware is laden in a innocuous email as an attachment which the victim downloads thinking it to be a genuine file.  Once a ransom ware has been downloaded onto a machine, it goes on to encrypt all the files it has been commanded to do via program and request payment – usually in Bitcoins – to decrypt the files, thus making user data the hostage. This particular ransom ware also works the same way with the addition that all instructions are written in Japanese.

TorLocker has been used in ransomware attacks around the world. The threat is part of an affiliate program, where the program’s operator gives participants the builder to create custom ransomware, access to the TorLocker control panel to track infections, and miscellaneous files to be used in conjunction with the malware. In return, the participants give a portion of the profit from the attack to the affiliate program’s operator.

TorrentLocker Ransomware variation targets Japanese users

The malware is spread via the phishing page as given in the above picture which displays a fake Adobe Flash Player installer page. If a user clicks on the link in yellow to  download this fake Flash Player, they are prompted to download and execute a setup file to install the plugin. However, the file is not digitally signed, nor does not  it contain the typical icon used in Flash Player installers. These two facts suggest that it is a fake malware laden application which only keen users will be able to spot the difference. Once the file is downloaded and installed, the ransom ware gets to task encrypting the user’s data.

TorrentLocker Ransomware variation targets Japanese usersTorrentLocker Ransomware variation targets Japanese users

Once  the malware has finished its job, this screen is shown to the user. The message then asks the user to pay in order to unlock their files. The demanded ransom ranges from 40,000 yen to 300,000 yen (approximately US$500 to US$3,600). Japan is fast approaching its new year’s holiday which is an opportune time for the cybercriminals to strike. The attacker probably wants to make the most use of unsuspecting users browsing the internet.

Symantec has the following recommendations to avoid or mitigate ransomware infections:

  • Update the software, operating system, and browser plugins on your computer to prevent attackers from exploiting known vulnerabilities.
  • Use comprehensive security software, such as Norton Security, to protect yourself from cyber criminals.
  • Regularly back up any files stored on your computer. If your computer has been compromised with ransomware, then these files can be restored once the malware is removed from the computer.
  • Never pay the ransom. There’s no guarantee that the attacker will decrypt the files as promised once they receive payment.
read more

OphionLocker, A New Ransomware uses Elliptic Curve for Encryption, Tor for Communication & Malvertising for Propagation

OphionLocker, A New Ransomware uses Elliptic Curve for Encryption, Tor for Communication & Malvertising for Propagation

OphionLocker Ransomware uses Elliptic Curve for Encryption, Tor for Communication and Malvertising for Propagation

A new variety of Ransomware has been discovered by Trojan7Malware researchers. Dubbed as OphionLocker, this Ransomware is very unique in the sense that it uses elliptic curve cryptography for file encryption, and Tor for communication.  Another unique signature of OphionLocker is that it uses malvertising campaigns to propagate itself rather then traditional spear phishing methods.

Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) is a public-key cryptography based on the algebraic structure of elliptic curves over finite fields. One of the main benefits ECC cryptography is that it provides same level of encryption with smaller size of keys.

This algebraic form of encryption is based on solving the discrete logarithm of a random elliptic curve element. This, like the more familiar idea of factoring the product of two very large prime numbers, offer a one-way function to underpin the security of public-key cryptography systems. ECC offers equivalent levels of security with lower key sizes, a particular advantage on systems with limited computing power, such as smartphones.


Once a potential victim has downloaded the malware by visiting a website serving the malvertising code, it encrypts the files available and then uses a Tor2web URL to navigate towards an instruction page on how to pay for getting the decryptor tool. The attackers demand a payment of one Bitcoin for the decryption tool which translates to $350 as per today’s exchange rates. However the price for decryptor tool can change as per the geolocation of the victim. Trojan7Malware has given the following file encryption pattern of this Ransomware which are similar to the file types encrypted by CryptoLocker and TorLocker.

Extensions encrypted;






One interesting aspect of this Ransomware is that it tries to be aware of the environment it is working in. If the malware detects a virtual environment, it will not ask for any payment to be made. Virtual environments are generally used by security researchers against malwares such as this one.

Another unique feature of this malware is that it generates a HWID (HardWare Identification) number to ensure only one sample can be generated per PC.


The authors/handlers of this malware seem to be using these techniques to hide the Ransomware for as long as possible from the security researchers and also blacklist any PC which they deem has been compromised by the security researchers.

OphionLocker is deadlier then previous ransomware avatars because it doesnt need internet connectivity or user interaction to begin encryption.  This is because the a public key is already present in the payload downloaded by the victim. This makes it harder to detect or to prevent infection.

Ransomware getting more and more stubborn

The propagation and viciousness of these Ransomwares and the handlers/ attackers /authors seem to be getting better and bolder, using more and more complicated encryption techniques. Despite the high profile CryptoLocker takedown, Ransomware remains a deadly threat to the users. The advancement in techniques adopted by the authors of such kind of malware can be notice in OphionLocker which uses a smaller key encryption with elliptic curve cryptography and the anonymity network Tor for communication with its command and control server.

Resource : Trojan7Malware 

read more

CoinVault baits users by decrypting one file only to encrypt all others

CoinVault baits users by decrypting one file only to encrypt all others

CoinVault baits users by decrypting one file only to encrypt all others

The latest ransomware called CoinVault,  hits the hijacked PC and gives the victim the generosity of letting them decrypt one file for free before demanding payment for the rest in BitCoins. Like a drug dealer or bank robber, the new malware, called CoinVault, gives the paying party a “taste” of the liberated goods, then demands full payment for the rest. The ransom increases the longer the victim does not pay.

Bait to attract money

CoinVault is similar to other ransomwares that we have seen before. The only difference being that this ransomware is letting you decrypt one of the “hostage” files to show you that the decryption works and to show the ‘noble’ intents of hijackers. Once it infects a Windows PC, CoinVault displays a message telling victims that “Your personal documents and files on this computer have just been encrypted.” It demands payment in the online cryptocurrency Bitcoin and gives instructions on how victims can send the money. This is a software which can be removed from your machine just like any other. But once you remove it you are left with no way to recover your lost files. And the ransomware displays this to drive the message home.

Experts always advise users against paying such a ransom. Mainly because there exists no legal framework or any means for that matter to ensure that the attacker will decrypt your files once the payment has been made. Most attackers do decrypt your files generally. But if one decides not to, it becomes an issue as decrypting it yourself might take years. The “one free decrypt” policy is probably a means for the attacker to try and get more people to pay up. The location where the victims are asked to pay is also made dynamic so the chances of the attacker being tracked down is reduced.

Security researchers have analyzed the malware, Its made on the .Net framework. An interesting bit of news is that this ransom ware is also checking for network analyzers like Wireshark, probably to protect themselves. Kaspersky detects this family as ‘Trojan-Ransom.Win32.Crypmodadv.cj’. We have already seen similar malicious applications in the past (regarding functionality) such as ‘TorrentLocker’, and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.

Safety Tips

To protect against such ransom ware, it is advised to :

  • Always make a backup of all your critical files and save them either to an external hard drive or to the cloud.
  • Save several versions to prevent the chance of the backup also being encrypted.
  • If you ever get infected with ransomware, you can merely delete the malware and restore your old files.
  • You should also make sure all your software is up-to-date and patched, as ransomware almost always exploits known software vulnerabilities.
  • Be sure to install and run a robust antivirus solution, which will catch most or all forms of criminal-controlled malware.

Resource : Secure List.

read more

CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files

A file-encrypting ransomware program called CryptoWall has infected over 600,000 computer systems world over, in the past six months and encrypted 5 billion files , making it creator/s millionaire, researchers have found. 

CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files

The Counter Threat Unit (CTU) at Dell SecureWorks performed an extensive analysis of CryptoWall that involved gathering data from its command-and-control (C&C) servers, tracking its variants and distribution methods and counting payments made by victims so far.  The research done by the CTU has confirmed the worst fears of the researchers.

CryptoWall is “the largest and most destructive ransomware threat on the Internet” at the moment and will likely continue to grow, the CTU researchers said Wednesday in a blog post that details their findings.

The thread was not so dangerous some time ago, because most of the cases regarding ransomware were about another dominating ransomware called CryptoLocker which infected more than half a million systems in 2013.

CryptoLocker asked victims for ransoms between $100 and $500 to recover their encrypted files and is estimated to have earned its creators around $3 million over 9 months of operation. The threat was shut down at the end of May following a multi-national law enforcement operation that had support from security vendors.  CryptoLocker could be shut down because of the fact that it had to communicate with its C & C server before acting on any of the commands.  The security companies managed to shut down the C & C servers making the CryptoLocker files redundant even if they had infected the PCs.
CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files
CryptoWall filled the void left by CryproLocker on the ransomware landscape through aggressive distribution using a variety of tactics that included spam emails with malicious links or attachments, drive-by-download attacks from sites infected with exploit kits and through installations by other malware programs already running on compromised computers.
When CryptoWall is first executed, it unpacks itself in memory and injects malicious code into new processes that it creates. It creates an “explorer.exe” process using the legitimate system binary in a suspended state and maps and executes malicious code into the process’s address space. This malicious instance of explorer.exe then executes the following process:
  • vssadmin.exe Delete Shadows /All /Quiet
This process causes the Windows Volume Shadow Copy Service (VSS) to delete all shadow copies of the file system. CryptoWall also disables Windows’ System Restore feature by modifying the registry key:
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore => DisableSR
Both techniques prevent infected systems from recovering encrypted files.
The CryptoWall command-and-control servers assign a unique identifier to every infection and generate RSA public-private key pairs for each one.
The public keys are sent to infected computers and are used by the malware to encrypt files with popular extensions—movies, images, documents, etc.—that are stored on local hard drives, as well as on mapped network shares, including those from cloud storage services like Dropbox and Google Drive.
Files encrypted with an RSA public key can only be decrypted with its corresponding private key, which remains in the possession of the attackers and is only released after the ransom has been paid.
The CTU researchers were able to count the unique computer identifiers from the CryptoWall servers and also obtained information about their IP  address, approximate time of infection, and payment status.
Between mid-March and August 24, 2014, nearly 625,000 systems were infected with CryptoWall,” the CTU researchers said. “In that same timeframe, CryptoWall encrypted more than 5.25 billion files.
The largest number of infected systems were located in the United States—253,521 or 40.6 percent of the total. The next most affected countries were Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.
CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files
CryptoWall typically asks victims to pay the ransom in Bitcoin cryptocurrency, but earlier variants offered more payment options, including pre-paid cards like MoneyPak, Paysafecard, cashU, and Ukash.
The ransom amount grows if a victim doesn’t pay the ransom within the initial allotted time, which is usually between four and seven days. The CTU researchers observed payments that ranged between $200 and $10,000 in value, the majority of them (64 percent) being of $500.
Of nearly 625,000 infections, 1,683 victims (0.27%) paid the ransom, for a total take of $1,101,900 over the course of six months,” the CTU researchers said.
CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files
This suggests that while CryptoWall managed to infect 100,000 more computers than CryptoLocker, it was less effective at generating income for its creators. Researchers determined in the past that 1.3 percent of CryptoLocker victims paid the ransom for a total of over 3 million dollars.
The difference in success rate might be explained through the technical barriers involved in obtaining Bitcoins, the CTU researchers said. In the case of CryptoLocker, 1.1 percent of victims paid the ransom through MoneyPak and only 0.21 percent used Bitcoin.
The CTU analysis found similarities between CryptoWall samples and those of an older ransomware family called Tobfy. If the same attackers are behind both threats, it means that they have at least several years of experience in ransomware operations.
read more

“TorrentLocker” Malware combines CryptoLocker, CryptoWall using BitTorrent keys in Windows Registry, for ransom

A deadly ‘Ransomware’ malware is infecting BitTorrent users. A blog report published by iSIGHT Partners says that this ransomware dubbed as TorrentLocker by them is a file encryptor.  Once it infects the system, it encrypts almost all important files and folders using Rijndael algorithm (symmetric cipher).  The malware then sends a ransom message which informs the victim that that their files have been encrypted by the “CryptoLocker virus,” and the ransom page.  iSIGHT Partners also noted that the FAQ section of this malware is similar to CryptoWall malware.
iSIGHT Partners have dubbed the ransomware ‘TorrentLocker’ because its configuration resides in the Windows Registry in HKCUSoftwareBit Torrent ApplicationConfiguration.  The researchers said that they couldnt find evidence of this malware being sold on  underground forums on Tor as of today.
As of now TorrentLocker malware is being distributed via spam messages and the victims are users based in Australia. As with other ransomware, the ransom fee is to be paid in Bitcoin but the amount shown on the ransom message is in Australian Dollars. Furthermore, the recommended Bitcoin sellers are all located in Australia. Richard Hummel of iSIGHT Partners said that, “It may also cause victims to assume that their files are encoded in RSA-2048, a possibly more secure encryption method than the Rijndael algorithm used to encrypt files in TorrentLocker.”  The key pointed noticed in this malware by iSIGHT Partners are :

  1. TorrentLocker uses themes and naming from CryptoLocker and CryptoWall ransomware, but is very different at the code level and believed to be a new strain of ransomware.
  2. The malware first connects to a command and control (C&C) server over secure communications and exchanges a certificate before encrypting the malware. 
  3. The malware uses the Rijndael algorithm for file encryption. This is a symmetric cipher and will use a password either stored locally or retrieved from the remote attackers’ server for encryption.
The fact that TorrentLocker is spoofing CryptoLocker has made the researcher believe that it will be as notorious as CryptoLocker but on the other hand it may also be easy to disrupt it.  As was the case with CryptoLocker, the TorrentLocker also communicates with the command and control server before attempting to encrypt the files. So if the AV and security firms take down the command and control server, the TorrentLocker will fall apart because without communicating with the C&C server it will not encrypt the files.
Reader will remember that the CryptoLocker was killed using the same technique and researchers from FireEye and Fox-IT also launched a free service called ‘DecryptoLocker’ which helped the victims to recover their encrypted files which were encrypted by the notorious CryptoLocker.
read more

Critoni Ransomware on sale for $3000 in underground forum, uses Tor Anonymity Network to communicate with its C & C server

A new of Ransomware called Critoni is being sold on on the underground forums.  The speciality of this ransomware is that it uses the Tor network to communicate with the remote command and control server.  This anonymizes the communication and hence makes it undetectable as the ransomware commands go through the several layers of Tor anonymiser setup before reaching the Command and Control server.
For the uninitiated, a Ransomware is a malware that once infected in your computer, encrypts various types of files, documents, videos and images with a encrypted key and then asks you to pay ransom for the keys to decrypt your data.
The post offering the sale of Critoni was discovered by French security researcher. Kafeine, who says that the advertisement has been up since the middle of June 2014. He said the going price for this malware is  $3,000.00/ €2,220.00 / Rs.180,000.00.
This particular malware is named CTB-Locker (Curve-Tor-Bitcoin Locker) by the cyber criminals and named Critoni.A by Microsoft. Critoni uses persistent cryptography relying on elliptic curves, which would make file decryption impossible; keys are generated randomly and there is no risk of two keys being same. If infected the ransom has to be paid in bitcoins in order to prevent tracing of the transaction.  The ransomware also gives a tutorial about how to obtain bitcoins through market if he/she doent own any.   In fact, if the victim are new to Tor Anonymizer Network, it even gives tutorials about downloading the Tor.
According to Kafeine, the post on the underground forum also mentioned that the encryption process could be carried out in lack of Internet connection, but how it could connect with its C & C server in that case is a question.  Kafeine also reports that Critoni has been seen to be delivered by the Angler exploit kit, but other forms of attack have also been detected in the wild.
Another attribute of Critoni is that once the period of time set for making the ransom payment expires, the file locking program automatically self-deletes itself and victims are offered another chance to retrieve the data.  These instructions are provided in a TXT file located in the Documents folder.
According to security experts from Kaspersky, this is the first cryptomalware to use the Tor network to annonymize its communication with the command and control server. This sort of protection has generally been seen in banking Trojans like Zues malware.
In a report on Threatpost, Fedor Sinitsyn of Kaspersky said, “Executable code for establishing Tor connection is embedded in the malware’s body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware’s body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general.”
Using Tor network reduces the risk of detection and make it easier for the cyber criminals to mint bitcoins through hapless victims of Critoni.A
read more

Android users browsing for NSFW content beware, Koler.A ransomware out to snare you

A specific user group using Android smart phones and tablets is being targeted by a deadly new Ransomware as per report by BitDefender.  The Ransomware, named Koler.A, targets only those users who browse the net for 18+ and NSFW websites and infects their smart phones and tablets if they visit certain triple x websites.
Android users browsing for NSFW content beware, Koler.A ransomware out to snare you
Bitdefender on its blogpost claims that it has identified a new malware which can lock access to Android users smart phones or tablets till such ransom is paid to the owners or author of this ransomware/malware. Bitdefender has called this ransomware/ malware  Android.Trojan.Koler.A.

Bitdefender says that the malware is being downloaded by Android smart phones and tablets users under a guise of a video player App, if their owners browse certain triple x websites. “As the user browses, an application that claims to be a video player used for premium access to triple x downloads automatically,” explained BitDefender in a blog post.

Bitdefender also believes that the author of Koler.A is the same one who wrote the Revetol / Icepol trojan.  It says on its blog post that this new malware is the work of the gang behind the Revetol / Icepol trojan, which infected hundreds of thousands of PCs in 2012 and 2013. “It was just a matter of time until the highly prolific gang behind the Reveton / IcePol network made a move on Android,” it suggests.

Android.Trojan.Koler.A however works in quite a different way. As it cannot install itself on the victims Android device, it uses a fake video player to get itself installed.  However the Android should have enabled sideloading in their settings (Unknown sources box clicked in settings) and then tap an ‘Install’ button when prompted to install what they think is a video player. Once installed, it identifies its victim’s location and shows them a webpage with a warning in their language: “Attention! Your phone has been blocked up for safety reasons listed below. All the actions performed on this phone are fixed. All your files are encrypted. CONDUCTED AUDIO AND VIDEO”.

The page also claims that they have “violated World Declaration on non-proliferation of child pornography” as well as flouting copyright infringement laws, warning of possible jail terms for both. And then it tries to charge a $300 ransom to remove the threat.

“The bad news is that by the time you see the message, the bad guys already have your IMEI on file,” said BitDefender’s chief security strategist Catalin Cosoi.

Bitdefender however said that the author of Koler.A is just making empty threats about the device being lock or the data encrypted as Koler.A doesn’t have the necessary permissions to actually encrypt victims’ files. “The good news is that Koler.A can be easily removed by either pressing the home screen and navigating to the app, then dragging it on the top of the screen where the uninstall control is located, or by booting the device in safe mode and then uninstalling the app.”

Bitdefender states that the easiest ways to avoid this malware is to avoid visiting triple x websites which  ask you to download a premium video player and if you have already done so, and download the Ransomware, dont give in to its threats.  Just delete the Ransomware. 
read more

Royal Mail the latest weapon of Ransomware makers, CryptoLocker to lure victims

Readers are advised to be very careful while opening any email received from Royal Mail, for it is being used by the makers of the dangerous Ransomware known as ‘CryptoLocker’.  This is especially true for the readers based in United Kingdom.   In a advisory issued by the United Kingdom Police, the mail purporting to be from the Royal Mail contains the malware in its second attachment.
Royal Mail the latest weapon of Ransomware makers, CryptoLocker to lure victims
The fake emails have been identified and studied by MX Lab.  MX Lab has indicated that the emails are being send from a spoofed address called  “Royal Mail Group” and contain the following content.

Mail – Lost / Missing package – UK Customs and Border Protection

Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.

Please fulfil the documents attached.

The mail has two attachments (zip files) and the second one contains the malware which has the CryptoLocker as its payload. Download the attachment  immediately triggers the installation of the CryptoLocker, the most dreaded Ransomware.  In addition the downloaded malware will steal information from your internet browsers cache memory, change your firewall settings and finally modify the Windows Registry keys.

CryptoLocker will encrypt all the data on the computer, including photos, music and personal files, using a RSA-1024 key with a Triple DES algorithm.  The malware may not be detected by  Anti Virus installed on your computer.  Its unique coding makes it hard for any AV to identify, deactivate or quarantine the malware.  It also means that you have no other way out then to accept the Ransom demand from the CryptoLocker makers or wipe your computer clean.

It is also known that, people in UK generally trust any mail perceived to be sent from the Royal Mail, as such, Royal Mail has come out with a list of do nots to safeguard users against this malice.

Advice from Royal Mail

Royal Mail will never send an email asking for credit card numbers or other personal or confidential information.

Royal Mail will never ask customers to enter information on a page that isn’t part of the Royal Mail website.

Royal Mail will never include attachments unless the email was solicited by customer e.g. customer has contacted Royal Mail with an enquiry or has signed up for updates from Royal Mail.

Royal Mail have also stressed that they do not receive a person’s email address as part of any home shopping experience.
read more