Synology Urges You To Be On Guard Against Ransomware

Ransomware is some of the nastiest pieces of software in existence and in theory, it could hit anyone. Some people naturally have a greater risk, through the kind of work and tasks they do with their systems. But in theory, anyone can be unlucky enough to be hit with this kind of evil doing through security holes in the software being used.

This warning and reminder isn’t based on a specific new kind of ransomware, it is more to raise awareness of this kind of threats. Encryption-based ransomware such as CryptoWall, CryptoLocker, or TorrentLocker are on the rise, and they don’t just target Windows-based systems as many belief, they have also begun targeting network-based storage devices. Because of its stealthy nature and disastrous effects, ransomware is commonly perceived as a sophisticated, highly destructive, and unstoppable malware threat.

An advanced user isn’t really afraid of ransomware as they usually make backups of everything onto their network connected devices – or work directly from there via permanent shares and iSCSI setups. In the case of an infection, they simply wipe their system and install it again, and that would be the end of that story. Creators of this kind of nasty software know that and they want a piece of that pie too, which is why they have started to attack other systems besides workstations.

Where there is a threat, there is a way to defend yourself against it, at least in 99.9 percent of situations.

  • Update your operating system. Most people are up-to-date on their Windows and OS X updates simply because you’re being told when they’re available. But when was the last time you updated your NAS OS? Most NAS systems have automatic update features available and you should at the very least enable this for critical updates.
  • Install security software. A good anti-virus software is a good place to start and you’ll find solutions such as Avast or Intel security in your NAS’ app features. It will take up some resources to have it running, but those are resources that you should be happy to give up. Especially if you use the automatic download features found in all NAS units.
  • Disable Remote Desktop Protocol. Remote Desktop Protocol (RDP) is a very common target for malware, which is why you should disable it if you don’t absolutely need it.
  • Install Mobile Apps and use Push Notifications. Applications for your smartphone and tablet are another great way to stay on top of your headless systems. Together with the push notifications feature you get up-to-date statuses from your system right into your pocket.
  • Beware of your actions. The golden rule is as it always has been, beware of what you do. Take the one second extra to hover a link and check the destination in the status bar before you click it, turn off features such as Hide file extensions for known file types, and don’t trust anything until you have verified the authenticity.

This time, the warning came from Synology, but in theory, it could have come from any of the big manufacturers. The bigger a company and brand gets, the more likely it is that their systems will be actively searched for vulnerabilities. Luckily Synology and other NAS’ have even more features that will help you in case that you get hit by this kind of malware.

A multi-version backup of all your files is naturally the best defense. If everything is backed up, then the evil ones can take their ransom demand and stick it where the sun doesn’t shine. Backup all your vital files from your system and onto your NAS is the first step and from there on you should have at least one more backup step – this could be a cloud solution, another NAS, or external drives, for example. Synology’s new Cloud Station Backup app can do all this for you through a single app, so it is as easy as it’s ever been. Hyper Backup is another awesome tool that lets you enjoy a full range of multi-version backup destinations from local shared folders, expansion units, and external hard drives, to network shared folders, Rsync server, and public cloud services. It can also isolate data for further protection from internet threats.

If your system supports Snapshot Replication through Btrfs file system, then you got another level of protection right there. Snapshot Replication allows you to replicate data from a primary site to an offsite location up to every 5 minutes and 15 minutes for LUNs, ensuring all your critical data in shared folders or virtual machines in iSCSI LUNs can be recovered quickly in the event of a disaster.

Synology also put up a mini-site that summarizes all these information along with the step to follow if you should have been effected. The fact that this site even was made, speaks for the severity of these attacks and how far they’re spreading. So be aware, practice safe surfing, and show an evolved behavior.

Library Management Software May Be Open to Ransomware Attacks

When it comes to software, schools are either on top of it or a little behind. The reason being is mostly the budgets they have to deal with, one piece of software that is often ignored by schools, which tend to have to work on the “if it isn’t broken we don’t need to replace it” policy, is the Library management software. If people are using any of Follett’s old library management software, they may want to change that approach and update soon as it’s been revealed that the software may be open to ransomware attacks.

The vulnerability was discovered by Cisco’s Talos group and found that users could remotely install backdoors and ransomware code to the JBoss web server element of the library management system, leaving users with either a large bill or no access to their libraries information.

Follett has not sat idly by with them already releasing a patching system to fix the flaws that expose the system and it even picks up any unofficial files which may have been snuck on to compromise the servers. Working with the Talos group, Follett is seeking to inform customers about the security risk and how to address the issue, potentially removing the threat and damage it could do before someone manages to make any money off of your local schools’ library.

Get Your System Back From Petya Without Paying a Penny!

When it comes to security threats and risks, the community as a whole is at its best when it has a common goal. An example of this was two weeks ago when a new ransomware was found going by the name Petya. Petya didn’t act like normal ransomware but instead decided it would go after your master boot record, often locking people out their entire system until they received their password after paying a nice little fee. That was until some clever people got together to create some tools to get your system back from the ransomware without paying a single penny!

The original web tool came from the twitter account @leostone and lets you retrieve your file by providing it with a selection of data from the infected hard drive. Getting the data may seem like something difficult but a separate researcher went and created a tool titled Petya Sector Extractor that can find and retrieve the required data in seconds.

By removing the hard drive and plugging it into another computer, these tools can work together to retrieve the password required to unlock your master boot record from the clutches of Petya. The sector extractor tool is hosted by Bleeping Computer, a computer self-help forum, and reports that not only does the technique work but has also provided a step-by-step tutorial for anyone who isn’t 100% regarding how to return all their family photos at zero cost.

Bitdefender Releases Free Tool to Fend Off Ransomware

Ransomware is a growing vector of attack in recent times and very few are truly safe from it and the potential loss of their personal data. Now antivirus firm Bitdefender have published a free tool that is capable of preventing computers from being infected by some of the most common strains of ransomware including Locky, TeslaCrypt and CTB-Locker.

The Crypto-Ransomware Vaccine works a lot like a biological vaccine of sorts against these types of ransomware, similar to a previous Bitdefender tool that was designed to stop CryptoWall infection. That tool may have been rendered useless by changes to CryptoWall, but the principle of how it works remains effective for other types of ransomware. It works by tricking the ransomware into believing that the system it is targeting has already been infected by the same strain and in order to avoid nested encryption on a single system, many ransomware authors engineer their software to ignore already infected machines.

Of course, it is always best to avoid ransomware in the first place than rely on this tool, and as such it is recommended that users also ensure that their operating system, browsers and other software such as flash player, which is notorious for its vulnerabilities are kept up to date. The tool may be very effectual at defending against a specific set of ransomware, but it is a complimentary measure to users not running a full security suite or wishing to ensure defense from malware as part of it.

KeRanger Mac Ransomware Flaw May Allow Recovery of Files

A few days ago, KeRanger, the first Mac ransomware found in the wild was discovered. Now, according to researchers from antivirus firm Bitdefender, KeRanger turned out to be based on a previous piece of ransomware known as Linux.Encoder, which emerged late last year, targeting Linux-based web servers.

The advantage to this is that Linux.Encoder possessed flaws in its cryptographic implementation for at least the first three versions, which allowed Bitdefender’s researchers to develop tools that could decrypt the files affected by the malware. According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, even the latest version of Linux.Encoder (4), has the same flaws that affected the previous versions.

“The infected Mac OS X torrent client update analyzed by Bitdefender Labs looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016,” Bitdefender researchers stated in a blog post published on Tuesday. The result of this is that KeRanger also contains the same broken cryptographic implementation.

Bitdefender is yet to publish a tool able to decrypt KeRanger affected files, however, development of such a tool is under consideration, should the demand be sufficient.

The purpose behind KeRanger still remains to be seen, considering the great lengths that those responsible for it have gone to, including stealing a legitimate Apple developer’s certificate and hacking into a popular and trusted open source project’s website, if the ransomware they were distributing had such a crucial known weakness. Whether a newer, more dangerous version of KeRanger will appear in the future could be quite likely, however, those affected by its current iteration should be thankful that this incident was not more serious.

First Mac-Targetting Ransomware Appears in the Wild

Despite the rising amount of ransomware attacks recently, Apple’s Mac OSX has so far remained unaffected by it. Unfortunately, for Mac-users, security firm Palo Alto Networks announced on Sunday that it had discovered the world’s first ransomware that is aimed at OSX computers. Now named “KeRanger”, the malware was discovered through a rogue version of the popular Transmission BitTorrent client.

KeRanger was first noticed on Saturday on the Transmission forums, where some users posted unusual reports that copies of Transmission downloaded from the main site were infected with malware. This means that the Transmission site itself was compromised, as the KeRanger infected versions of the client were served over an HTTP connection instead of the usual HTTPS used for the remainder of the website. Transmission later published a message stating that: “Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.”

When a computer is infected with the KeRanger ransomware, through installing a compromised version of Transmission, the installer runs an embedded executable file on the system. It then waits 3 days before connecting to its command and control (C2) servers over the Tor anonymizer network. From there, it begins the process of encrypting certain types of files and documents on the system before issuing a demand of one bitcoin (around $400) to a specific address in order to restore access to their files. The current version of KeRanger was also reported to still be under development, with future iterations of the malware potentially able to encrypt Time Machine backups too, in order to prevent restoration.

It was only a matter of time before ransomware came to the Mac, however, it is worrying how vulnerable usually trustworthy open source projects are to unwillingly carrying malware. While the infected version of Transmission has since been pulled from their site, if you believe you have been infected, Palo Alto Networks’ report includes steps on how to identify and remove KeRanger.

Hospital Pays Bitcoin Ransom to Fix Ransomware

Viruses and malware are issues for the best of us, from forgetting to scan your computer once to being baited in by that interesting link in an email, there are many ways for your system to get infected. Ransomware is one of the nastier pieces of malware, denying you access to your system until you pay the creator of the virus. While the FBI recommend you pay up, does this still apply when you are a hospital?

Earlier in the week, we reported that hackers had hit a Hollywood hospital with ransomware. Hollywood Presbyterian Memorial Medical Center was hit by the ransomware, with an initial request for 9000 bitcoins, coming close to 3.5 million dollars, to get the key required to unlock their systems. While it may not have been the 9000 bitcoins, the Hospital has now announced that they have paid 40 bitcoins to unlock the system.

President and CEO Allen Stefanek claims that the initial price tag of $3.6 million was false and that paying this fee was the “quickest and most efficient way to restore our systems and administrative functions”.

Even with backups and anti-virus software, there will always be some viruses that are able to get into systems, with ransomware benefiting the creators we don’t expect this to be the last time that we see it hitting public services.

Hackers Hit Hollywood Hospital With Ransomware

It seems that no system is beyond the reach of hackers out to line their own pockets. For almost an entire week, the Hollywood Presbyterian Memorial Medical Center has been without its computer systems, due to the system being taken down by a hack that is described as ransomware.

Without their computer systems, the staff at the hospital have been forced to switch back to pen and paper to take patient records and logs. More worrying is the inability to access medical records of patients which could heavily affect the care they receive. Those patients that require specific care, such as lab tests, scans or pharmacy tasks have been temporarily transferred to other nearby facilities as all of these are currently impaired by the hack.

The hack is currently under investigation by both the LAPD and FBI, however, there is yet to be any conclusive evidence about the culprit. The exact extent of the hack is currently unclear, but it is known that the attackers are demanding the sum of 9000 bitcoin, or around $3.5 million for the encryption key to regain access to the hospital systems. President and CEO at the hospital Allen Stefanek has come out stating that the attack was believed to be random and not maliciously directed at the facility.

It is shocking that a facility as important to the lives of many as a hospital can be affected by such a hack, with no backups available or a swifter way of tackling the issue. This could come as a wake-up call to other hospitals to toughen up their cyber security, or they could befall the same fate and put the lives of their patients at risk.

CryptoWall 4 Is Being Distributed Via a New Campaign

There has been a huge explosion of online ransomware within the last year or two which has seen a huge number of consumer’s, unfortunately, falling victim to this ever present and growing technique. Now, there is a new technique which is being served to consumers via the PopAds network and it contains the Magnitude exploit kit via pop-under ads.

For those who are unfamiliar with a Pop-under ad, this is a type of online advertisement that appears behind the main browser window and remains open until the user manually closes it. Consumers who failed to update their version of Flash Player (which we are constantly being informed to do) were immediately infected with the CryptoWall ransomware.

The infection campaign began around the 1st January 2016 with ads being placed within avenues that included both NSFW and also video streaming sites. Below is an image to convey the geographic location of infections that have been caused by this new technique, as you can see, Spain is in the lead with 14.3% with the Netherlands, France and Poland that are next and are level with 11.4% each. The spread of countries according to this data is mostly within Europe, although an exception to this is South Korea.


Once a user has been infected they will typically see a CryptoWall ransom page window that will state the following as conveyed by the image below, it is a bit of an insult to say “Congratulations, you have become a part of  large community Cryptowall” Users will need to pay a ransom as is commonly associated with these typical types of ransomware infections.

These cases highlight the need for a strong and reliable backup system which will help to mitigate in the event that your hard drive is encrypted, also, it is always essential to keep your browser, plugins and various system updates current for your OS. If you wish to add further defenses then it may be worthwhile to either disable or uninstall Flash Player as well as running an up to date Anti-Virus and Malware scanner.

These types of infections will become more and more advanced and also very common in 2016 and vigilance is required by users in order to help to avoid such attacks.

Image courtesy of ssri

Add to Anti-Banner

Ransomware Just Got Worse By The Use of JavaScript

Ransomware is probably one of the peskiest and most annoying things that your computer can catch. Not only do you lose access to your files, you have to pay a criminal to release them again. Even if you should choose to pay, there is no guarantee what-so-ever that the criminal will release the files again or hide more malware to hit you again once you are “free”. If that wasn’t bad enough, a new version of Ransom32 has arrived that exploits JavaScript in order to infect you and worst of all, barely any anti-virus and anti-malware programs will catch it at this time.

While all this sounds bad, there are ways to protect yourself and if you use common sense while surfing the web, then you should be safe anyway. Stay away from dubious websites and don’t touch any archive or executable downloaded from anything but official manufacturer websites. But let us get back to the new malware in question, the ransomware called Ransom32.

Ransom32 is built on the NW.js-Framework which was developed to build desktop applications on a javascript base. A really cool framework by the way. That, unfortunately, means that where we usually only see Windows users that are at risk, those with Linux and MacOS are equally vulnerable to Ransom32. Thanks to the use of this framework, the ransomware is able to get past the sandbox environment that JavaScript runs in these days.

The security researcher Fabian Wosar from EmsiSoft discovered the new Ransom32 as a self-extracting RAR-Archiv. If that archive is unpacked, it will hide in your temp folder and disguise itself as the Chrome web browser and be visible as Chrome.exe. This is where advanced users already had noticed it and not used any automatic-unpack function. However, should the new chrome.exe be executed, then it will start to encrypt all your files with AES-128 bit CTR-mode and also place itself firmly in the systems autostart features.

The Ransom32 creators have also made it very easy for people to use their tool. Evil minded people can access the tool via a Tor address. When on the site, they can customize the tools features before downloading it. The creators reportedly also use the same network for their control servers and connections. To top the whole thing off, the creators take 25 percent of the accumulated ransoms for themselves, and everything stays anonymous thanks to the use of Bitcoins.

We can only hope that the virus scanners and anti-malware tools get an update soon so the less tech-minded people won’t get infected by this nasty new piece of software. You can also read a lot more details about this new piece of software on the EmsiSoft blog.

New Ransomware Does The Unforgivable – Forgets How To Unlock Your Files

Ransomware is a whole new level of problems for computer users. Previously malicious software, or malware for short, would spread causing chaos and destruction wherever it could, but ransomware is a little more targeted. Ransomware is designed to stop you from accessing your files and in order to gain access you are normally requested to pay an account a sum of money. With the kind of details you store on your computers these days, can you afford not to pay? Even the FBI say pay the ransom, but what happens when they don’t decrypt your files, granting you access which you’ve just paid a lot of money for. It’s a risk many take and many more will have to suffer thanks to the ransomware Power Worm, which forgets how to decrypt your files.

Encryption is the process in which using a key (similar to a password) you jumble up a file, making it extremely difficult to read or access without knowing the password that was used to encrypt it in the first place. Power worm does the usual, gets into the system and then encrypts your files but thanks to a NULL result in its code it forgets to store the key, meaning even if you pay its impossible to retrieve your files.

Please protect your files with regular backups on an external memory device and be careful when downloading or running any software.

Image courtesy of NSK Inc.

Linux Systems Targeted by New Ransomware

Ransomware is a particularly nasty piece of malware that has become even more popular in recent years. Initially, malware was designed to just disrupt or damage a person’s computers or files. Then came ransomware, designed to benefit the creator by either disturbing or denying access to their files the ransomware then offers to decrypt any nastily encrypted files using the only available key online by a set date if you pay them. It would seem that Linux users are the latest target with Linux.Encoder.1 targeting the operating system.

Targeted at a vulnerability in the Magneto CMS system, popular amongst e-commerce sites, and then once run with administrator-level privileges, will encrypt the user’s home directories and any files that could be associated with websites and hosting websites on the system. This is particularly lethal to stores which make their living through online selling, potentially knocking the site offline and costing them hundreds in one fell swoop.

After encrypting a directory, the system leaves a readme file, stating the terms for payment and offering a link to the Tor-protected gateway to make the payment of one bitcoin (a digital currency that comes in at around £250).

Once it has received the payment the malware will then decrypt the files, deleting both the readme file and the encrypted files during the process.

We would like to remind people to be careful when running any software or opening files sent or downloaded from the internet. Ransomware use is on the rise and we wish that our readers (and everyone else) never has to deal with being one of its victims.

“Pay The Ransom” Says FBI Ransomware Advice

Ransomware is a significant threat to huge corporations as it is to you and me, the notion of every single byte of your personal files being locked up is a frightening thought to those who have treasured memories in the form of images and documents. How effective is Ransomware? It turns out very considering the FBI (Federal Bureau of Investigation) is warning companies that they may be better of paying the ransom to the attackers in order to see their files again.

This centres on the success rate of Cryptolocker, Cryptowall and also other forms of ransomware that utilizes ultra-secure encryption algorithms in order to lock up data.  Joseph Bonavolonta who is the Assistant Special Agent in Charge of the FBI’s CYBER and Counter intelligence Program in its Boston office was speaking at the Cyber Security Summit 2015 where he stated that “The ransomware is that good”.

This form of attack has been around for more than a decade which is slightly surprising considering one associates this technique as a newish phenomenon. Although the last three years have seen attacks rise sharply via both malicious email attachments and also drive by downloads which include Malvertising.

According to the FBI, Cryptowall is the most common form of ransomware considering it had received 992 complaints that totalled $18 million in losses. The FBI still wants firms to contact their local law enforcement agency, but, if a company’s data is locked then in all probability the FBI will not be able to retrieve it without a ransom payment.

An interesting element is the feeling that if attackers keep ransoms low for consumers, a bigger percentage will just pay, after all, many people have expendable income and may be inclined to pay.

I am not sure this advice from Joseph Bonavolonta is necessarily helpful, granted, I can understand his sentiments that the FBI may not be able to retrieve any data without a ransom payment, but, if you advise people to pay then this will keep happening over and over again. Criminals partake in these practices in order to make money; if they are making money then I am sure they would feel it’s worthwhile.

Also, there is no guarantee that you would actually gain access to your data once a ransom has been paid, after all, there is no incentive to do so despite Mr Bonavolonta’s reassurances that “You do get your access back”

The best prevention is to be aware of any email attachments or links contained within spam emails and to Not Click on them, if you’re expecting an attachment from a known source, always verify the email just in case said source has been hacked themselves. Any attachments should be scanned to be on the safe side if you trust the email, if you don’t, don’t download or click anything, I know that Nigerian Billionaire sounds tempting, but it’s not worth it, also, always keep your system backed up for a variety of reasons.

Image source

Android Ransomware Gets Cruel – Requires Factory Reset

We’ve all been told about viruses, be it at school or by our children, we all know that they are nasty little pieces of code that can do some nasty things to our PC’s. Even fewer people have heard about ransomware, though, a form of virus (or rather malware) that seeks to give the creator a little more of a benefit than just chaos and anarchy. Ransomware is built so that those infected are asked to pay for the device to normally return or decrypt files so that users can gain access to their systems. In this day and age though this can be disastrous as we often live with our devices providing reminders and memories that cannot be retrieved if lost, even more so if they appear on your smartphone.

Dubbed Android/Lockerpin.A, the latest in a long line of malware that targets the devices you hold and cherish in your everyday use. The app works by overlaying a screen, similar to the ones you get when you update your phone, over the permissions screen, meaning when you click yes what you are actually doing is giving the phone administrator rights. It then goes and changes your lock screen pin and asks for a payment of $500 (approximately £325). If you choose not to pay the only way to remove the software, thanks to its administrator rights, is to do a factory reset.

While only a small time danger due to its distribution in third party apps on the App store for android, the problem with software like this is it often gathers speed and momentum even sometimes managing to infect itself onto other devices through legitimate apps.

Thank you Ars Technica for the information and the image. 

Ransomware Locks Your Android Phone Pin And Asks For Cash

Ransomware is akin to the booming stock market of yesteryear for hackers, the notion of locking an individual’s infected device is a powerful reality for today’s modern day connected gadgets. As such it can be no surprise that a new technique has surfaced which implements a free app on third-party app stores which changes the device’s locking PIN and then asks for $500 as a kind of screw you post it.

Technique of this ransomware.

Let’s take a look at the details; it may take a while so make yourself comfortable. Security firm ESET has detected this threat as a Android/Lockerpin.A, users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset, but this would delete all data as a consequence.

After successful installation, this type of malware attempts to obtain user admin privileges by attempting to trick users, it does this by overlaying the activation window with the Trojan’s malicious window which pretends to be an “Update patch installation”. As the user clicks through this innocuous-looking installation they also unknowingly activate the Device Administrator privileges in the hidden underlying window.

This is lethal considering the moment you click “continue” within the installation activation window, your device has fallen victim, the Trojan app has now obtained Administrator rights and has silently locked your device by setting a new PIN for the lock screen. Not long after this has happened, the user will be prompted to pay a $500 dollar ransom for allegedly viewing and harbouring forbidden pornographic material, below is a screenshot of this warning notice.

The device is then locked after the warning screen is displayed within the standard Android lock screen. The new PIN is generated randomly and not sent to the attacker. The only practical way to unlock is to reset to factory defaults.

Lockpin’s self defence mechanism part 2.

Not only does this type of ransomeware acquire device admin privileges it also stops users from attempting to deactivate Device Admin for the malware, they will fail because the Trojan will have registered a call-back function to reactivate the privileges when removal is attempted.

There’s more, this locker also attempts to kill running AV processes when the user tries to deactivate its Device Admin rights. The Trojan tries to protect itself from three mobile anti-virus applications which include ESET, Avast and Dr Web as well as the com.android.settings which prevents standard uninstallation through the application manager.

ESET state that its own self-protection mechanisms will prevent the malware from removing this vendor’s AV. Software.

Distribution of this malware

This Ransomware pretends to be an app for viewing adult/porn videos. In all cases, the application calls itself “Porn Droid”, giggity. 75% of so far infected devices have originated from the US; this is because malware coders are attempting to attack citizens of the US with the aim of collecting bigger payouts.

Unlocking the device

The only way to unlock your device without implementing a factory reset is to root your device; the user can connect to the device by ADB and remove the file where the PIN is stored. For this to work, the device needs to have debugging enabled otherwise it’s not possible (Settings -> Developer options -> USB Debugging) before using the commands

> adb shell
> su
> rm /data/system/password.key

The only crumb of comfort is that you cannot download this malicious app from the official Google Play Store, ESET recommends keeping your mobile AV software up to date if you have one. If not, be careful what you download, if you stick to official routes and be cautious of both unknown and suspicious apps which purport to be too good to be true. Back up any sensitive data and always update legitimate software, tech is becoming more advanced and so are the attackers.

Thank you eset for providing us with this information.

Image courtesy of xperiaseries

Malicious Porn App Took Secret Photos of Users

A fraudulent Android porn app that took secret photos of users and attempted to blackmail them has been discovered by security firm Zscaler. Adult Player purported to offer users pornographic videos, but quietly used an Android device’s front-facing camera to snap the user, lock their device, and try to extort them for $500 (£300) to gain control back. The image of the user taken via the front camera is displayed on the ransom page.

The app is designed to remain on screen once the ransomware has been engaged. It cannot be uninstalled and retains control over the device following a conventional reboot. Adult Player was not hosted by Google Play, and was instead available for download directly from a porn website.

If your Android phone or tablet is affected by such a malicious app, Zscaler advises the following steps:

  1. Boot device into safe mode (Please note that entering “safe mode” varies depending on your device). Safe mode boots the device with default settings without running third-party apps.
  2. Uninstalling ransomware from device requires you to first remove administrator privilege. To do the same, go to Settings –> Security –> Device Administrator and select ransomware app, then deactivate.
  3. Once this is done, you can go to Settings –> Apps –> Uninstall ransomware app.

Since the app is a third-party install and has not been approved by the Google Play Store, neither Google nor Android is culpable for victims of Adult Player.

Thank you BBC for providing us with this information.

Extensive Malvertising Campaign Targets Yahoo!

This Malvertising Campaign is no longer active having been reported to Yahoo by Anti Malware blocker Malwarebytes, it’s still newsworthy to note the stats and techniques which targeted yahoo Ad Network for now and future reference.

According to the following statistics, yahoo and its combined websites has an estimated 6.9 Billion visits per month, which makes this attack one of the biggest targeted attacks seen recently.

  • www.yahoo.com | 6.9B monthly visits
  • news.yahoo.com308.50M monthly visits
  • finance.yahoo.com | 135M monthly visits
  • sports.yahoo.com | 112.50M monthly visits
  • celebrity.yahoo.com | 66.60M monthly visits
  • games.yahoo.com | 43.40M monthly visits

The attack leverages Microsoft Azure websites with the following domains being used,

      trv0-67sc.azurewebsites.net/?=trv0-s4-67sc

  • ch2-34-ia.azurewebsites.net/?ekrug=sewr487giviv93=12dvr4g4

This chain of events leads to the infamous Angler Exploit kit which attempts to exploit known software vulnerabilities within a person’s computer. Think of it like this, your browsing the web for cat pictures, you arrive at a site which contains a malicious link or ad, without clicking on the advert, the tool attempts to find and exploit for example a Flash or another program bug, if it’s successful it will then attempt to compromise said computer. Angler is also known for spreading the rise of Crypto Ransomware which is extremely dangerous. To allow myself a plug, and this is my first one, here’s a link to an article which I have written concerning the Windows 10 Crypto Malware.

Malware within adverts is hugely popular because it does not need the user to click on the ad for the Malware to spread. The nature of the Internet pushes these attacks at a phenomenal rate which exploits the globe. Always update your plug-ins, software, Anti Virus and Windows patches on a regular basis, we all know Flash is about as breakable as a glass hammer. Unless Adobe adapts, it will be remembered in nostalgia circles rather than a current product.

It may be wise to either uninstall or change Adobe Flash’s settings to “Ask to Activate”

Thank You Malwarebytes for providing us with this information.

Windows 10 Ransomware Discovered

Well this didn’t take long! A new form of ransomware has been discovered which if downloaded, will automatically encrypt your files before demanding a fee to unlock them. The distributors of this malicious code are attempting to impersonate Microsoft by “offering” users a free upgrade via email. This scam takes full advantage of the Windows 10 download process, which asks consumers to virtually wait in a metaphorical line for the upgrade.

So how does it work?

The distribution works by sending an email to consumers offering them a free Windows 10 upgrade. A sample of this type of email is below, firstly, the “from” address on the email is spoofed, (update<at>microsoft.com). This is not actually from Microsoft but from an IP address in Thailand. The attackers are also using a similar colour scheme to that of Microsoft with the aim of luring consumers into associating this email as genuine.

The next red flag is courtesy of the letter format which does not parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email. Another suspicious but sneaky technique is the mail virus scanner which indicates the email is fine, it links to an open source mail scanner, but this is designed to trick users.

What is the Payload of the virus?

If this email is taken as a genuine correspondent from Microsoft, you will be asked to download a zip file which contains an executable file. Once run, the below screenshot will pop up. The payload is CTB-Locker, a ransomware variant and is currently being delivered to users at a high rate, whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is similar to this kind of ransomware with a few extra features which include, the use of elliptical curve encryption which provides the same public/private key encryption but it’s a different type of algorithm with lower overheads.

Another feature for this locker includes using hard-coded IP addresses on non-standard ports to establish communication. There is also a significant amount of data being exchanged between systems, which are largely uncharacteristic for ransomware. An analysis of network traffic reveals that there were ~100 network streams to various IP addresses.  The most common ports being utilized are 9001, 443, 1443, and 666.

So how do I protect myself from this threat?

Be very careful with emails of this nature, look at the details and if unsure, research it, this is a powerful weapon at staying current and educated on the nature of these threats. Always question a “Free Upgrade” which is sent to your inbox, never open or install executable or any other file without checking the authenticity of the email and file. If in doubt, don’t open it.

These scams are becoming more sophisticated for the average user with the aim of virtually locking your files up. Always perform regular backups and use an up to date antivirus scanner as a matter of course.

Thank You to Cisco Blogs for providing us with this information

Image courtesy of digitallife

US Police Forced to Pay Bitcoin Ransom

It’s strange to think that the police force could become a victim of hackers. The strict network security implementation would make you think that they’re safe from any hacking scheme. Clearly not.

Maine police departments have recently encountered hackers within their network. The police officials were baffled by the hackers who managed to break into the system and as a result had to resort to paying the ransom in Bitcoin.

The Associated press have stated that the network at the County Sheriff’s office was infiltrated by a type of virus called ransomware. This meant that the hackers blocked the police from getting access to their data until they paid the ransom off.

It is normal practice for the county’s offices to be connected via an intranet facility. This procedure had been implemented to enhance connection between the four towns and their police departments; however, the hacking episode proved more of a cost to the police department. The hackers were able to enter the system and corrupt the data of all four towns”  Said technewstoday.

Turns out that the hackers only requested that £200 worth of Bitcoins were sent to them, seems a rather small fee but the Maine police force will have now learned that network security is something not to be breached. Once the hackers received the payment they sent the officials the key to access the data again.

When asked about the hack by Technewstoday; Damariscotta Police Chief, Ron Young said “”we needed our programs to get back online.” 

Usually, you would just revert to the latest backup of the servers used, however as luck had it the forces backup server hadn’t worked properly so the cops had no choice but to pay out the cash.

Thanks to TheRegister and technewstoday for this information

Image courtesy of anonhq

Kaspersky Develops Ransomware Decryption Tool

Ransomware is becoming more prevalent and taking user’s data hostage and demanding money for the release. Now with crime fighters getting their hands on a server Kaspersky has been able to make a decryption tool by using the decryption keys found on the machine.

Netherlands’ National High Tech Crime Unit (NHTCU) recently got ahold of a Coinvault command-and-control server. Coinvault is a type of ransomeware that has been infecting computers from around the world since last November. On that server, they found a database of decryption keys, which they shared with Kaspersky. Kaspersky took those decryption keys and used them to build Noramsomware decryption tool. The tool is a work in progress that should get more effective with more keys that the law enforcement community finds. This may possibly help you to take back your data from a Coinvault ransomware if you are lucky since the app isn’t fully effective yet.

Be proactive and take steps to prevent viruses and ransomware in the first place, use security tools and make sure that you do not open attachments of email that you do not know the sender. If you are one that torrents files be sure to use a virus scanner and check items regularly as well as looking at other user’s notes on the files to make sure they are clean.

Thank you Engadget for providing us with this information

Images courtesy of The University of Arizona

Shape-Shifting ‘Beebone’ Malware Taken Down by Europol and the FBI

It looks like a shape-shifting malware that was able to change its identity up to 19 times a day to avoid detection has been put to rest by Europe’s Cybercrime Centre and the FBI.

The malware dubbed ‘Beebone’ is said to have been controlling 100,000 computers at its peak back in September 2014 and was used to download other programs on the infected computer. The malware is estimated to have made 12,000 victims, who are now asked to clean up their PCs using latest anti-malware and anti-virus programs.

Beebone has been said to download password stealers, ransomware, rootkits, and programs designed to take down legitimate websites on the affected computers.

“Beebone is highly sophisticated. It regularly changes its unique identifier, downloading a new version of itself, and can detect when it is being isolated, studied, or attacked.” Raj Samani, Intel Security Chief Technology Officer stated.”It can successfully block attempts to kill it.”

Almost 100 .net, .com, and .org domains have been ‘sinkholed’ by the Joint Cybercrime Action Taskforce in order to redirect the attackers’ traffic and intercept requests for further instructions made by the malicious software.

The FBI has also assisted in redirecting the traffic for most of the sites due to the fact that most of the sites used were operated from the United States.

However, this is not a permanent solution for the malware in question. This is why Paul Gillen, head of operations at the European Cybercrime Centre, urges both agencies to look into finding those responsible and bringing them to justice.

“We can’t sinkhole these domains forever. We need those infected to clean up their computers as soon as possible.” Paul Gillen told the BBC.

Even with the attackers in custody, the malware is still out there on unsuspecting victims’ PC. This is where Raj Samani comes in and stated that those who have the malware “will be notified by their internet service provider”.

ISPs in each affected country will be handed a list of suspected victims to contact by the task force. Also, a free removal tool has been issued by software security firms in order to deal with the malware at hand, including F-Secure, TrendMicro, Symantec and Intel Security.

Thank you BBC for providing us with this information

Ransomware Threat Awareness Rising Among IT Security Experts

Almost half of IT security staff know at least one company that has been hit by ransomware attacks, designed to lock victims out of critical files until a monetary ransom is provided.

It’s a frightening threat with a growing amount of apprehension related to ransomware, with more security experts aware of the potential problem.  However, it remains difficult to educate employees on methods to detect fraudulent emails and train them to delete those types of emails.

Here is what Stu Sjouwerman, KnowBe4 CEO, said in a press statement:

“We thought it would be interesting to use the same questions to see what impact ransomware has had in six months time.  We found the threat of ransomware is very real and IT professionals are increasingly realizing traditional solutions like endpoint security are failing.  IT pros agree that end-user Security Awareness Training is one of the most effective security practices to combat these ransomware threats.”

Most ransomware require victims to either pay the ransom or try to restore files from a backup – but with many users, especially at small and midsize businesses lacking reliable IT resources, it can be many months before a proper data backup is done.

In the survey, 57 percent of respondents said if their backups fail, they’d have no other option but to pay the ransom.  If that wasn’t bad enough, 50-66 percent of backups fail, while data stored in the cloud is lost.

Thank you to KnowBe4 for providing us with this information

Avast Releases Free Tool to Remove Simplocker Ransomware From Hijacked Phones


Security company Avast has announced the release of the avast! Ransomware Removal, a new tool designed to help compromised Google Android users decrypt files on devices hijacked by Simplocker.

If you’re not familiar, Simplocker is a nasty ransomware, and even though it was coded in a way that allowed security experts to quickly figure it out, it is still infecting Android-powered smartphones and tablets.  The malware encrypts files on the phone’s SD card, locks the device, then makes the victims pay a ransom in exchange for control of their phone again.

Here is what Ondrej Vlcek, Avast Software COO, said in a press statement:

“Simplocker blocks access to files stored on mobile devices.  Without our free ransomware-removal tool, infected users have to pay £12.50 to regain access to their personal files.  Even though we are seeing exponential growth in ransomware on mobile devices, most of the threats to encrypt personal files are fakes.  Simplocker is the first ransomware that actually encrypts these files, so we developed a free tool for people to restore them.”

The Avast! Ransomware Removal is now available via Google Play.

A student from the University of Sussex created a Java key that can be used to unlock the ransomware from compromised devices.  It’s important to see this types of tools released, because it seems like the current version of Simplocker is just a trial run for cyber-criminals to improve their skills.

Thank you to Avast for providing us with this information

Image courtesy of Avast

“Oleg Pliss” Apple iPhone Hack Spreads To the USA, UK and New Zealand

On the back of yesterday’s news that Australian Apple Devices were getting hijacked through the ‘Find my iPhone’ feature it turns out that the problem is significantly more widespread than first reported. The ‘Oleg Pliss’ ransomware demands a $100/€100 ransom payment in order to unlock your device. The number of users affected by the issue is growing rapidly with a thread about the issue on the Apple forums currently at 23 pages, with 333 replies and 29570 views. The problem is now confirmed to have affected iPhone users across the anglophone world in the USA, the United Kingdom, New Zealand and of course Australia.

The Oleg Pliss ransomware is believed to have been born out of a batch phising email sent to iOS and OS X users. That phishing email is believed to have been used to harvest important account details from Apple account holders which then allowed the cyber criminals to hack many devices and start demanding ransoms in return for device unlocks. Of course it goes without saying that all users affected by the issue are advised not to pay the ransom because there is no guarantee the cyber criminals would unlock your phone, and even if they did your phone is still infected so they could demand another ransom again at any time. Apple recommends that all Apple Account users affected by the issue should change their passwords immediately.

Image courtesy of Engadget

Ransomware The Good, Bad, And The Ugly

There are some sick people out there, people that try to take advantage of poor souls that do not know and understand computers. Today I happened upon a friends computer that had this strange image posted up on his screen. Once you start up the computer you are unable to access task manager or exit out of the program. Essentially the computer is locked down tight, and this particular virus can infect your entire network.

What is it? You might ask, or perhaps you know. This warning is not real, it is fake, it is a virus called Ransomware. Ransomware first showed up in 1989, in which it would have you send $189 to a P.O. Box in Panama. Today ransomware has you pay with a non-traceable MoneyPak card.

NBC Washington recently reported that ransomware has done some good, tricking Jay Matthew Riley, 21, of Woodbridge, Virginia, a child abuse image collector from the United States into turning himself in. Ransomware tells the user that they have been using their computers for illegal activities and that they can pay a nominal fee to make it all go away. Riley hauled his computer down to a local police department turning himself in. Police then looked over his computer finding images of underage girls, which warranted a search of his home. Police found several devices, which had more illegal images. Riley is currently being held without bail.

So if you see this image or an image like it pop up on your computer, you can check out Microsoft’s official website for tips on how to protect yourself, as well as removing this nasty software. But if you are an online law breaker, make sure you grab your computer and take it down to the local police department and save us all the trouble.