Cerber Ransomware

Posted by John Shannon | Viruses & Spyware

A new piece of ransomware has been discovered that speaks to its victims in order to inform them that their files have been encrypted.

Dubbed Cerber, the threat appeared on the threat landscape about a week ago and is said to employ functionality typically found in ransomware. Cerber encrypts a victim’s files using AES-256 encryption, and encrypts the file’s name, and then adds the .CERBER extension to it. Cerber targets a wide array of file extensions, but avoids those named bootsect.bak, iconcache.db, thumbs.db, or wallet.dat.

The malware also encrypts files with full pathnames that include a specific set of strings. Similar to the Locky ransomware, the new malicious application scans all accessible network shares on the network, including unmapped Windows shares, and encrypts any data that is found on them.

At first run, the ransomware checks whether the computer is located in one of the following countries: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan, and terminates itself if it is. Otherwise, it installs itself in the AppData folder and names itself after a random Windows executable.

The ransomware also configures Windows to automatically boot into Safe Mode with Networking on the next reboot and also configures itself to automatically start when the user logs into Windows, to run as screensaver, and to execute itself once every minute. Each time it is executed, Cerber displays a fake system alert and begins a reboot process and continues displaying them until the reboot is performed.

Once the reboot is initiated, the computer boots into Safe Mode with Networking and, once the user logs in, it reboots again in normal mode. As soon as the second reboot is completed, the ransomware, which uses a JSON configuration file for its settings, executes itself and starts encrypting the victim’s files.

After encrypting files, the ransomware creates 3 ransom notes on the user’s desktop and in every folder that it has encrypted: # DECRYPT MY FILES #.html, # DECRYPT MY FILES #.txt, and # DECRYPT MY FILES #.vbs. These are ransom notes that contain info on what happened to user’s data and links to the Tor decryption service where the user can pay a ransom and retrieve the decryptor.

Researchers also discovered that the # DECRYPT MY FILES #.vbs file contains VBScript, which causes the computer to “speak” to the victim. The file includes a message stating that the user’s files have been encrypted, and the message is repeated numerous times.

The ransom notes link to the decrypttozxybarc.onion Tor site named Cerber Decryptor, where users can make payments and retrieve the decryptor keys. The site is available in 12 languages, includes a captcha, and provides users with details on how to pay the ransom, the ransom amount (1.24 bitcoins or around $500), and that the ransom should be paid in 7 days, otherwise it will double.

For the time being there is no way to decrypt files for free, and affected users are advised to restore their files from a backup

Please read the Flash Player flaw news item for information on the spread of Cerber.

Adobe has issued an emergency update on Thursday to its Flash player after researchers discovered a security flaw that was being exploited to deliver ransomware to Windows PCs.

Adobe urges users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible after security researchers said the bug was being exploited in “drive-by” attacks that infect computers with ransomware when tainted websites are visited.

Trend Micro Inc said that it had warned Adobe that it had seen attackers exploiting the flaw to infect computers with a type of ransomware known as ‘Cerber’ as early as March 31.

Cerber “has a ‘voice’ tactic that reads aloud the ransom note to create a sense of urgency and stir users to pay.

Please be very careful what websites you visit, especially those resulting from Google searches!

Petya RansomWare

Posted by John Shannon | Viruses & Spyware

A RansomWare named “Petya” is the newest to be attacking systems around the world. This new threat doesn’t encrypt the files on a hard drive, it just goes ahead and encrypts the entire thing.

It is spread via e-mail purporting to be from a job applicant with instructions to download a file hosted in a Dropbox folder. Opening the file will release the RansomWare which will crash the PC. When the PC reboots, a message will appear saying that it needs to fix errors and that it may take several hours. It will appear to be running a CHKDSK, but during this time, the entire hard disk is actually being encrypted.

Once completed, the system reboot and the user is presented with a ransom message asking to be paid or they’ll lose access to everything on the hard drive. The ransom doubles every seven days.

As with most malware attacks, Petya relies on the computer user clicking links sent in an email.

One hospital has paid $17,000 in Bitcoins this year after its files were encrypted. As you know may now, six of my clients have already been hit with various RansomWware, including two just last week. No one has yet lost any data due to the stringent measures we have in place to prevent such loss, but there is always a first time.

Please continue to be vigilant in the E-Mail you open and the websites you visit.

Locky RansomWare

Posted by John Shannon | Viruses & Spyware

The Locky Malware is the most active malware for 2016. At the moment of writing, there are hundreds of people who are trying to remove Locky Malware from their computer and to recover the “locky datei”. If you haven’t heard about this threat yet, you should know that it is the latest example of the ransomware-type Malware, which is capable of ruining your files. If you are one of those who appreciate their files collected over the years, beware that this threat can put your precious memories into danger. Locky Malware is a treacherous malware, which is said to have already attacked over half a million users. Unfortunately, but it keeps spreading around and, according to PC security experts, it can be called one of the most significant Malware today.

The Malware works similarly to CTB Locker, Cryptowall, Teslacrypt, and Cryptolocker, so, as soon as it enters the computer, it starts encrypting the files with the help of AES-128 encryption. Once this military-type encryption process is finished, the victim is left out of the ability to retrieve his/hers files. The only way to have these files back is with a help of a decryption code, held by the Locky Malware developers. The users whose files have been locked are asked to pay some amount of money to obtain this key. At the moment of writing, they are asked to pay from 0.5 to 1.00 Bitcoin (or $400) for getting a decryption key, which is essential when trying to get your files decrypted. Nevertheless, security experts have been urging victims NOT to pay for this key because there is no guarantee that the “key” will work for them. To sum up, Locky is an extremely dangerous Malware that has to be removed ASAP. This is the only way to prevent the further encryption of your valuable data. To remove Locky Malware and its malicious files, you should scan your computer with SpyHunter or similar anti-spyware.

The main method used for spreading Locky ransomware (this is an alternative name of this threat) relies on SPAM. Some of these misleading emails have a Word file attached to them; others are filled with a JavaScript attachment. According to PC security experts, people should be extremely careful with .js email attachments because it is believed that scammers can release almost four million of emails filled with them every seven days. Of course, each of these email messages tries to look very convincing to trick people into downloading the attachment to their computers because that’s how Locky infects the system. When the Word file attachment is downloaded and opened with Word macro settings on, the virus immediately starts its malicious activity. However, it is incapable of doing so if macro settings are disabled, so it asks its victim to enable it. Please, DO NOT do that by any means because macro encodes the file information in this way activating the virus. That is why Locky is also called a Macro virus. When the victim is tricked into downloading JavaScript attachment, the virus doesn’t need to make its victim enable macros. That’s why it is believed that this Locky distribution technique will become very popular in the nearest future.

After being activated, the virus starts scanning the computer for files, including a photo, video, documents, archives and other files and then encrypts them with the AES algorithm. On top of that, this virus does not only affect the Office files but may also connect to external storage drives connected to the computer or network sharing sites and lock the files there as well. What is more, the online file clouds and network sharing sites are also at risk of being hijacked. There have been reports about Locky encrypting Bitcoin wallets as well. This is an extremely dangerous virus, so you should think about Locky removal as soon as it shows up on your computer. Also, do NOT open unknown emails and do not download any suspicious files attached.

Please shutdown all the PCs on your network if you find any files on any PC or server on your network ending in .locky and call us immediately! The sooner you shutdown, the less damage can be done. DO NOT SHUTDOWN YOUR SERVERS without contacting us, just the workstations.