![]() ![]() The spoofed email, purported to be from publicly listed energy company AGL, sent users a fake bill and prompted them to download and open a. In Australia, at least 10,000 users have been affected with a scam email carrying malicious attachments. And considering the exponential growth of ransomware infections across the world, it is not surprising that individual users and enterprises find themselves as specific targets. With ransomware constantly maturing and evolving in terms of features, distribution and tactics, cybercriminals are marching deeper into the world’s computers. In the U.S., The FBI’s Internet Crime Complaint Center (IC3) reported having received at least 2,453 ransomware-related complaints in 2015, with financial losses at $1.6 million. We speculate that this version could just be a test to check AV vendors’ ability to detect it without giving away their C&C.” The malware doesn’t provide any details on its C&Cs because it doesn’t call the HTTP function. From the analysis, we conclude that Herbst is on its beta version which is still under development. Joven added, “Our analysis shows that cybercriminals could be cooking a ransomware targeting a German audience. One of the firm’s security researchers, Rommel Abraham D Joven, noted that the malware-written in C#-is incomplete as it has several other functions that aren’t fully working, such as C&C communication and transaction ID verification. The ransom note, written in German, demands a payment of 0.1 bitcoin (around $58.39 as of June 6, 2016) in order to get a decrypt key. ![]() Named Herbst, the malware uses 256-bit AES and encrypts files in the computer’s desktop as well as its MyPictures, MyMusic and Personal folders whileattaching a. In a separate report by cybersecurity firm Fortinet, another strain of ransomware has been found in the wild, this time targeting German users. Abrams noted, “The use of Paypal is an odd choice for any criminal activity as it can easily be traced.” Interestingly, the cybercriminals behind BlackShades also accept payments made via Paypal. Victims are given 96 hours to pay the ransom, after which the decrypt key needed to unlock the files will be deleted from the database. Afterward the malware deletes itself and leaves behind only the ransom notes. This note is also copied to the start-up folder so victims are greeted by the ransom note every time they log in to the computer. silent extension to the encrypted files.ĭuring the encryption process, the malware communicates with its C&C to relay updates on the amount of files encrypted in the computer, after which it leaves a Hacked_Read_me_to_decrypt_files.Html file to the desktop, which serves as the ransom note. Next it will drop a YourID.txt file, which contains the victim’s ID, in all folders and the desktop. If connected, BlackShades will generate a unique ID for the victim and upload the information to its command and control server (C&C) along with the computer’s name, username, key, execution time, and the number of files that have been encrypted.Ĭapable of encrypting at least 195 file types using a 256-bit AES encryption, BlackShades will encrypt files stored on the C: drive’s folders, such as, Downloads, Documents, Desktop, Pictures, Music, Videos, and Public. It will then determine the infected system’s IP address and then it will check for internet connection by going to. ![]() Upon execution, BlackShades will delete the computer’s shadow copies, which are back-up copies and snapshots of the computer’s files or volumes. According to The Malware Hunter Team, the ransomware is thought to be distributed through fake videos-given that the malware’s reference string is set to YouTube-as well as counterfeit ‘cracks’ and patches for popular programs and applications. ![]() The ransomware infects a system as a dropped file by other malware, or as a clicked file, downloaded and opened by users visiting compromised websites. In a report by ’s Lawrence Abrams, one of the strings, when Google-translated from a Russian code said, “you cannot hack me, I am very hard.” Other codes were deciphered into messages such as, “Hacked by Russian Hackers in Moscow Tverskaya Street,” and “youaresofartocrackMe.” Unlike other ransomware, it has included obfuscated strings of code that contain messages to security analysts who may be scrutinizing the malware. SilentShades, is currently targeting English and Russian-speaking users. The ransomware, named BlackShades (detected by Trend Micro as CRYPSHED / Troldesh) a.k.a. A new ransomware variant has been discovered by a security researcher named “ Jack ” that encrypts data files and demands a ransom of $30 paid in bitcoins through Paypal. ![]()
0 Comments
Leave a Reply. |