• Tag Archives Ransomeware
  • New Spam Campaign Distributes Locky Ransomware and Kovter Trojan Combined

    Criminals have taken a liking to the idea of combining multiple types of malware into one distribution campaign. Malware Protection Center researchers discovered a string of email messages using malicious attachments to spread both Locky ransomware and the Kovter Trojan. It is not the first time these two types of malware are distributed in the same campaign, as dual-pronged spam campaigns have become more common as of late.

    This morning we noticed the start of a campaign using  New notice to Appear in Court as the email subject. The attachments are identical to the Typical .JS, .WSF, .lnk file inside a double zip. All the sites seen so far today are the same sites used in the USPS, FedEx, UPS current campaigns.  I am sure that both campaigns will continue side by side. It is very likely that different “affiliates” are using the same distribution network, but each one prefers a different email lure to gain victims.

    The attachments all start with a zip named along the lines of Notice_00790613.zip which contain another zip Notice_00790613.doc.zip which in turn contains Notice_00790613.doc.js

    Criminals Step Up Malware Distribution

    It is rather disconcerting to learn opening a malicious email attachment can introduce two different types of malware at the same time. As if the Locky ransomware is not annoying to deal with on its own, computer users will also be affected by the Kovter Trojan. This latter piece of malware specialized in click fraud, generating a lot of illegal advertisement revenue for criminals.

    Through a malicious email attachment, criminals execute a script that contains links to multiple domains where the malware types are downloaded from. By making the attachment a .Ink file, the recipient may click it and have the payload download executed in the background. PowerShell scripts have become a fan favorite among criminals targeting Windows users these days, that much is certain.

    Researchers discovered a total of five hardcoded domains in the script from where the malware can be downloaded. Both the Locky ransomware and Kovter Trojan payloads are hosted on these platforms, and it is expected more of these domains will continue to pop up over time. Although law enforcement agencies can take down these domains rather easily, criminals will not hesitate to create additional hosting solutions over time.

    As one would expect from these spam email campaigns, the message in question is a fake receipt for a spoofed USPS delivery email. In the attached zip file, there is the malicious .Ink file , which initiates the PowerShell script once opened. One interesting aspect about this script is how it checks if the file is downloaded successfully and if is at least 10KB in size. Once that has been verified, it will stop the process automatically.

    Microsoft researchers feel the use of multiple domain names to download the payload from is a powerful obfuscation technique. Blacklisting one specific URL is a lot easier than dealing with a handful of different domains. Moreover, this method seems to hint at how criminals can easily add more servers to download the malicious payloads from if they want to. A very troublesome development, to say the least.

    Perhaps the most worrisome aspect of this new malware distribution campaign is how criminals continue to update the payloads themselves. Both Kovter and Locky receive regular updates, which means the development of ransomware and click-fraud Trojans is still going on behind the scenes. Moreover, it goes to show criminals will continue to rely on multi-pronged distribution campaigns for malware and ransomware moving forward.


  • Ransomeware Decrypters Available Decryption Service – Decryptor Download Decrypt Files

    New version of ODCODCDecoder Released Download Decrypter

    BloodDolly has released a new version of his ODCODC Ransomwaredecryptor. The decryptor can be downloaded from.

    Emsisoft Decrypter for Marlboro Download Decrypter

    The Marlboro ransomware was first seen on January 11th, 2017. It is written in C++ and uses a simple XOR-based encryption algorithm. Encrypted files are renamed to “.oops”. The ransom note is stored inside a file named “_HELP_Recover_Files_.html” and includes no further point of contact.

    Due to a bug in the malware’s code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes.

    To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

    Decryptor released for the Merry Christmas or Merry X-Mas Ransomware Download Decrypter

    Fabian Wosar has done it again and released a decryptor for the files encrypted by the Merry Christmas or Merry X-Mas Ransomware. These files will have the extensions .PEGS1, .MRCR1, .RARE1, .RMCM1 appended to them.

    Crypt38Decrypter Download Download Decrypter

    BitStakDecrypter Download Download Decrypter

    lphaDecrypter Download Download Decrypte

    Unlock92Decrypter Download Download Decrypter

    Hidden Tear Decrypter Download Download Decrypter

    Hidden Tear BruteForcer Download Download Decrypter

    PowerLockyDecrypter Download Download Decrypter

    GhostCryptDecrypter Download Download Decrypter

    MicroCop Decryptor Download Download Decrypter

    Jigsaw Decrypter Download Download Decrypter

    Rannoh Decryptor (updated 20-12-2016 with CryptXXX v3) Download Decrypter

    RannohDecryptor tool is designed to decrypt files encrypted by:

    • CryptXXX versions 1, 2 and 3.
    • Marsjoke aka Polyglot;
    • Rannoh;
    • AutoIt;
    • Fury;
    • Crybola;
    • Cryakl;

    Globe3 Decryptor Download Decrypter
    The tool is designed to decrypt files encrypted by Globe3 Ransomware.

    Derialock Decryptor Download Decrypter
    Derialock decryptor tool is designed to decrypt files encrypted by Derialock

    PHP Ransomware Decryptor Download Decrypter
    PHP ransomware decryptor tool is designed to decrypt files encrypted by PHP ransomware

    WildFire Decryptor Download Decrypter
    WildfireDecryptor tool is designed to decrypt files encrypted by Wildfire

    Chimera Decryptor Download Decrypter
    ChimeraDecryptor tool is designed to decrypt files encrypted by Chimera

    Teslacrypt Decryptor Download Decrypter
    TeslaDecryptor can decrypt files encrypted by TeslaCrypt v3 and v4

    Shade Decryptor Download Decrypter
    ShadeDecryptor can decrypt files with the following extensions: .xtbl, .ytbl, .breaking_bad, .heisenberg.

    CoinVault Decryptor Download Decrypter

    The CoinVault decryption tool decrypts files encrypted by Coinvault and Bitcryptor.

    Rakhni Decryptor (updated 14-11-2016) Download Decrypter

    RakhniDecryptor tool is designed to decrypt files encrypted by:

    • Crysis;
    • Chimera;
    • Rakhni;
    • Agent.iih;
    • Aura;
    • Autoit;
    • Pletor;
    • Rotor;
    • Lamer;
    • Lortok;
    • Cryptokluchen;
    • Democry;
    • Bitman (TeslaCrypt) version 3 and 4.

    Trend Micro Ransomware File Decryptor Download Decrypter

    Supported Ransomware Families

    The following list describes the known ransomware-encrypted files types can be handled by the latest version of

    the tool.

    Ransomware

    File name and extension

    CryptXXX V1, V2, V3*

    {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters

    CryptXXX V4, V5

    {MD5 Hash}.5 hexadecimal characters

    Crysis

    .{id}.{email address}.xtbl, crypt

    TeslaCrypt V1**

    {original file name}.ECC

    TeslaCrypt V2**

    {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ

    TeslaCrypt V3

    {original file name}.XXX or TTT or MP3 or MICRO

    TeslaCrypt V4

    File name and extension are unchanged

    Rating:

    485 found this helpful

    Category:

    Troubleshoot

    Solution Id:

    1114221

    13/12/2016, 22)42

    Using the Trend Micro Ransomware File Decryptor Tool

    Page 2 of 6

    https://success.trendmicro.com/solution/1114221#

    #

    TeslaCrypt V4

    File name and extension are unchanged

    SNSLocker

    {Original file name}.RSNSLocked

    AutoLocky

    {Original file name}.locky

    BadBlock

    {Original file name}

    777

    {Original file name}.777

    XORIST

    {Original file name}.xorist or random extension

    XORBAT

    {Original file name}.crypted

    CERBER V1

    {10 random characters}.cerber

    Stampado

    {Original file name}.locked

    Nemucod

    {Original file name}.crypted

    Chimera

    {Original file name}.crypt

    LECHIFFRE

    {Original file name}.LeChiffre

    MirCop

    Lock.{Original file name}

    Jigsaw

    {Original file name}.random extension

    Globe/Purge

    V1: {Original file name}.purge

    V2: {Original file name}.{email address + random characters}

    V3: Extension not fixed or file name encrypted

    DXXD

    V1: {Original file name}.{Original extension}dxxd

    Teamxrat/Xpan

    V2: {Original filename}.__xratteamLucked

    Crysis

    .{id}.{email address}.xtbl, crypt

    NMoreira Decryptor download
    The tool is designed to decrypt files encrypted by NMoreira Ransomware.

    Ozozalocker Decryptor download
    The tool is designed to decrypt files encrypted by Ozozalocker Ransomware.

    Globe Decryptor download
    The tool is designed to decrypt files encrypted by Globe Ransomware.

    Globe2 Decryptor download
    The tool is designed to decrypt files encrypted by Globe2 Ransomware.

    FenixLocker Decryptor download
    The tool is designed to decrypt files encrypted by FenixLocker Ransomware.

    Philadelphia Decryptor download
    The tool is designed to decrypt files encrypted by Philadelphia Ransomware.

    Stampado Decryptor download
    The tool is designed to decrypt files encrypted by Stampado Ransomware.

    Xorist Decryptor download
    The tool is designed to decrypt files encrypted by Xorist Ransomware.

    Nemucod Decryptor download
    The tool is designed to decrypt files encrypted by Nemucod Ransomware.

    Gomasom Decryptor download
    The tool is designed to decrypt files encrypted by Gomasom Ransomware.

    Linux.Encoder Decryptor download

    Decryption tools have been designed for infections of the Linux.Encoder.1 and Linux.Encoder.3 ransomware

     


  • Ransomware developers look to educate victims and Help Decrypt files

    Knowledge is good, At least according to the cybercriminals who are developing ransomware that will give a free decryption key if the victim reads two articles about ransomware.

    A new variant of Koolova was discovered by security researcher Michael Gillespie, that demands the victim read two articles: a Google Security Blog, Stay safe while browsing, and a Bleeping Computer article, Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom.

    Lawrence Abrams, said the ransomware itself behaves like Jigsaw in that once it encrypts the files it delivers a scrolling note telling the victim to read stories or else risk having their files deleted. In Jigsaw’s case the demand is for a ransom payment.


  • Mobile banking trojan now has encryption and is targeting over 2000 apps

    Security experts at Kaspersky Lab have discovered a modification of the mobile banking Trojan, Faketoken, which can encrypt user data. Kaspersky Lab has detected several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016.

    Disguised as various programs and games, including Adobe Flash Player, the modified Trojan can also steal credentials from more than 2000 Android financial applications.

    To date, the modified Faketoken has claimed over 16,000 victims in 27 countries, with the most located in Russia, Ukraine, Germany and Thailand.

    The newly added data-encryption capability is unusual in that most mobile ransomware focuses on blocking the device rather than the data, which is generally backed-up to the cloud.

    In Faketoken’s case, the data – including documents and media files such as pictures and videos – is encrypted using AES symmetric encryption which can, in some cases, be decrypted by the victim without paying a ransom.

    During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application – often leaving users with little or no choice but to comply. Among other things, these rights enable Faketoken to steal data: both directly, like contacts and files, and indirectly, through phishing pages.

    The Trojan is designed for data theft on an international scale. Once all the necessary rights are in place, it downloads a database from its command and control server containing phrases in 77 languages for different device localisations.

    These are used to create phishing messages to seize passwords from users’ Gmail accounts. The Trojan can also overlay the Google Play Store, presenting a phishing page to steal credit card details.

    In fact, the Trojan can download a long list of applications for attack and even an HTML template page to generate phishing pages for the relevant apps. Kaspersky Lab researchers uncovered a list of 2249 financial applications.

    Intriguingly, the modified Faketoken also tries to replace application shortcuts for social media networks, instant messengers and browsers with its own versions. The reason for this is unclear as the substitute icons lead to the same legitimate applications.

    “The latest modification of the Faketoken mobile banking Trojan is interesting in that some of the new features appear to provide limited additional benefit for the attackers. That doesn’t mean we shouldn’t take them seriously. They may represent the groundwork for future developments, or reveal the ongoing innovation of an ever-evolving and successful malware family. In exposing the threat, we can neutralise it, and help to keep people, their devices and their data safe,” says Roman Unuchek, senior malware analyst at Kaspersky Lab.