Categories
Security solutions and antivirus software

AppCheck Anti-Ransomware Is A Nice Security Software You Should Use At Home (Free) Or At The Office (Paid)

As you may know, the ransomware malware is that type of virus that encrypts all your data and asks for a ransom if you want everything back. It has grown a lot lately, becoming a big threat for both enterprise and home users.

In this article I will make a mini-presentation of AppCheck Anti-Ransomware, a complementary security solution that has been designed by Checkmal to run alongside your antivirus software on Windows.

AppCheck Anti-Ransomware is created by a Korean developer and can run on both 32 bit and 64 bit Windows systems, being available as a free and a paid software. The free version provides basic anti ransomware protection, while the pro version provides some functions that may become useful in a corporate environment.

The installation of the app is very easy and straightforward and the app works by itself after installation, but you should configure it as you like if, from the interface, which is very intuitive.

The free version of the app provides real-time protection, exploit protection and MBR protection, but only the paid version provides protection for the network drives. The protection can be toggled on and off from the interface.

Main features:

  • Protection against 800+ ransomware types
  • Ransom Guard: keeps copies of important files, in order to prevent data loss
  • Cleans PUPs/PUAs and common malware
  • Auto Backup and server protection (paid version)
  • Active monitoring the system and providing proactive protection.
  • It is very lightweight and does not require high RAM memory

Conclusion:

This app is really nice to have because it enhances the security of your system. If you don’t need the pro features, you should at least use the free version of it. For more information, see the developer’s website.

AppCheck Anti-Ransomware Is A Nice Security Software You Should Use At Home (Free) Or At The Office (Paid)

Categories
Editorials and informational articles Security solutions and antivirus software

After few months Locky ransomware reappeared

According to a Malwarebytes article, after it went dark for months, Locky ransomware returned with two new ‘flavors’. The new versions use new command and control servers. They also use two new affiliate IDs: AffillD3 and AffillD5.

The way that the ransomware is spreading has not changed much. It still uses phishing e-mails that contains malicious code into MS Office files or archived attachments.

Back in 2016, Locky ransomware was in top 3 along with Cryptowall and Cerber. It came back in 2017 but a little more quitter. On August the 9th it reappeared using a new ransomware note and the extension .diablo6 for encrypted files. After another week, a second version appeared using the .Lukitus extension for encrypted files.

Locky ransomware has its base code based on the banking trojan Dridex and it is associated with Necrus malware as distribution botnet. The Dridex trojan seems to be behind the theft of approximately 20 million punds from UK bank accounts. It was then reorganized for ransomware instead of stealing authentication data from online bank account platforms.

Stay alert when opening attachments that come from unknown sources and also a antivirus or antimalware solution is always welcomed. Better safe than sorry! is a phrase we use. 

Categories
Editorials and informational articles

Erebus Malware – web Hosting Provider paid 1 million dollars to ransomware attacker

The South Korean web hosting provider Nayana agreed to pay the 1 million dollars ransomware in Bitcoin, after 153 Linux servers were infected with Erebus malware on the 10th of June.

After the attack, over 3400 business websites the company hosted were encrypted. According to the initial Nayana’s announcement, the attacker has requested 550 Bitcoins (1,62 million dollars). After the company negociated with the attacker, the ransomware demanded was 397.6 Bitcoins (around 1 million dollars).

As Trend Micro reveals, the ransomware used in this attack was Erebus. Erebus is a piece of malware that was initially spotted in September 2016 on Windows operating systems. Looks like someone has ported the ransomware to Linux. The ransomware is used to target vulnerable servers.

Nayana’s website was running on Linux kernel 2.6.24.2, a kernel compiled back in 2008. Additionally, Nayana’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of wich were released back in 2006. Samples of the ransomware were submitted to VirusTotal also from Ukraine and Romania.

Details about Erebus Malware

The malware uses the RSA algorithm to encrypt AES keys and each infected file is encrypted with a unique AES key. However, the RSA-2048 public key is shared. The ransomware targets Office documents, databases, archives and multimedia files, being able to encrypt a total of 433 file types. But the malware was build specifically to target and encrypt web servers and data stored in them.

erebus malware - ransomware note

So, the only safe way of dealing with ransomware attacks is prevention. As we have previously recommended, the best defense against Ransomware is to create awareness within the organizations, as well as to maintain back-ups that are rotated regularly.

Most viruses are introduced by opening infected attachments or clicking on links to malware usually in spam emails. So, DO NOT CLICK on links provided in emails and attachments from unknown sources.

Categories
News

Kaspersky’s RakhniDecryptor can now recover the files infected by the Jaff ransomware

As you may know, the ransomware is that type of malware that encrypts all your personal data and asks for a ransom, in order to get the decryption key.

This kind of internet infection has spread a lot lately, the WannaCry being the largest cyber attack from internet history. Fortunately, a lot of big companies, tech teams and security researchers worked together and stopped WannaCry, for now.

Well, this article brings good news to ransomware victims. The guys from Kaspersky have updated their RakhniDecryptor tool to version 1.21.2.1, bringing support for decrypting files infected by the Jaff ransomware. The researchers have discovered a weakness in the virus’ code and exploited it, being able to create a decrypting tool.

The Jaff ransomware is distributed with the help of Necurs botnet, the same botnet that distributed the Dridex Banking Trojan and the Locky ransomware, in the past.

The Jaff ransomware (found by antivirus software as Trojan-Ransom.Win32.Jaff) spreads via spam emails with infected PDF files that opens a Word file with a malicious macro script that downloads and executes the ransomware.

A few usage instructions, for Kaspersky’s RakhniDecryptor:

The Kaspersky RakhniDecryptor is a lightweight and portable decryption tool, capable of recovering data affected by different types of ransomware, and does not require advanced technical skills to decrypt the files.

  • You need to download the latest version of the RakhniDecryptor from here.
  • Extract the archive and run the RakhniDecryptor.exe on an infected system.
  • Use the Change parameters option to select the locations you want to scan.
  • Browse to the exact path of the infected files.
  • Next, the tool with recover the decryption password to unlock the files.

Due to the fact that I don’t have encrypted files on my hard drive, I could not create a full tutorial, but the tools is very easy to use.

Kaspersky's RakhniDecryptor can now recover the files infected by the Jaff ransomware

In order to keep your system safe from ransomware infections, I recommend you to read this article. It provides you 4 security tips that can save your business from ransomware. Or, if you manage to perform your regular tasks only with apps from the Microsoft Store, use Windows 10 S, which is 100% ransomware-proof.

Categories
Editorials and informational articles Hackers and hacks Security solutions and antivirus software Tutorials and how to guides

4 things to do to keep your business safe from WannaCry-like internet infections

The WannaCry cyber attack has created a lot of panic, due to the fact that it has infected computers from over 120 countries, being the largest ransomware infection in history.

As I work for an outsourcing IT company, I have noticed that people got very worried that such an attack can destroy their businesses and started to buy backup solutions and to invest more in computer security.

In this article I will give you 4 tips that will save your business from a future WannaCry-like computer virus infections.

Backup the fileserver, user data and the operating system:

The easiest way to backup user files is to create a special folder for each user on the fileserver and to back it up constatly, along with the entire server backup. This way, everything placed by the users in their folders are backed up.

From my experience, it is better to backup a single computer or server from the network, instead of backing up files from all the computers on the network. Without a good network infrastructure, this would make the network unresponsive.

In addition to this, another good habbit is to create full system backups of all the computers on the network, making an bootable image of the fresh operating system, with all the drivers installed, all the license keys added and drivers installed. This way, the reinstall process gets done very quick.

Another good habbit is to have a 2 TB or bigger external hard drive and to use it to perform offline backups for the server, when the automatic one fails.

Antivirus solutions and anti-ransomware software:

While there are a lot of free decent antivirus software, this is not enough in the business environment. We recommend that you buy an endpoint security antivirus, in order to benefit from extra security modules such as email scanning, certificate scanning, port blocking et cetera.

Despite the fact that we like using ESET EndPoint Security, Kaspersky, Bitdefender and Symantec have good security solutions as well.

Added to this, we recommend using an anti-ransomware software, such as CryptoGuard or RansomFree Cyberreason, which are two pieces of free software that close the encryption process, when the ransomware starts it.

For extra security, or for the paranoid users, we recommend Zemana, a secundary antimalware software that can run along other antivirus software, famous for its anti-ransomware protection.

Keep your operating systems up to date:

A good security practice is to use supported operating systems, like Windows 7, Windows 8.1 or Windows 10. While Windows Updates may make the system a bit unresponsive, it is a necessary evil, let’s say.

A good practice is to update the operating system daily, at the end of the working hours.

User training:

Yet another important thing to do is to train the users how to spot malicious emails, ignore the attachments and delete them. In most of the cases, the strange emails are either infected or phishing emails.

I know it’s difficult to keep the network and computers safe, but it’s even more difficult to recover the encrypted data.

Categories
Hackers and hacks Security solutions and antivirus software

WannaCry Ransomware spreading stopped – Thanks to Microsoft and MalwareTech security firm

As a reminder, WannaCry Ransomware is a ransomware malware created to use some exploits harvested from NSA hack. The infection spread in over 70 countries.

Microsoft has patched this issue, so the users that run supported Windows versions, Windows 7, Windows 8.1 and Windows 10, are safe if they have all the system updates installed and Windows Defender enables.

But despite this, Microsoft has published an emergency update for all the Windows systems (except Vista), in order to block the WannaCry ransomware, flagged by Microsoft Ransom:Win32/WannaCrypt .

Download the update patch matching your operating system and architecture:

All you have to do in order to patch your system is to download the update and install.

On top of Microsoft’s work to update and secure operating systems which reached EOL (end of life), a cybersecurity researcher from MalwareTech handle has managed to stop the WannaCry infection from spreading.

The researcher has studied the code and found a kill switch, hardcoded by the creator of the code in case he wanted to stop it from spreading. The malware was designed to stop if it got response from an internet domain, so the MalwareTech company registered that domain since the attacker did not bother to buy that domain.

According to Bitdefender, the malware spread in 104 countries, infected 180.000 devices, and only 102 victims decided to pay the $300 Bitcoin ransom.

As a piece of advice, as I said in the previous article, you should download the right patch for your operating system, keep Windows Defender active and do not open malicious mails.

WannaCry Ransomware spreading stopped

 

Categories
Hackers and hacks Security solutions and antivirus software

WannaCry Ransomware infection is the largest in history

Recently, the British National Health System (NHS) has become the victim of WannaCry ransomware (also known as WCry or WanaCryptor), a very lethal computer virus that encrypts all the data from the infected computers. While the first infected systems were in UK, the virus has spread in other countries as well.

The attack took place on Friday (yesterday) and affected 74 countries (including UK, US, China, Russia, Spain, Italy and Taiwan), including 16 NHS trusts in UK, being the biggest in the history.

The WannaCry ransomware is based on an exploit harvested from the EternalBlue tool used for hacking by NSA and leaked a few months ago by the hacker group Shadow Brokers. Once a computer is hacked, it explores a vulnerability in the SMB file sharing. The most vulnerable computers are the ones with older operating systems and since the encryption is done with RSA-2048, the files cannot be decrypted without the hacker’s key.

The problem is that a lot of computers from public institutions still use Windows XP, a system which is very vulnerable to hackers, since it does not receive any more updates.

The losses were bigger than financial, this causing surgeons to cancel operations, because everybody was locked out of the system. For more information, see this Liliputing article.

The good thing in this is that Microsoft has released an update patch for all the supported Windows systems – Windows 7, 8.1 and 10 and the May 2017 updates should keep the users safe from this, if they have Windows Defender enabled with up to date signature database.

Final words:

If you keep your Windows system up to date with the latest updates and keep Windows Defender updated and enabled, you are safe from this ransomware malware.

Unfortunately, this happened because government agencies like NSA or CIA keep vulnerabilities unknown for their own benefit.

Categories
Hackers and hacks

Meet the rensenware ransomware – a ransomware that asks the users to play a game to unlock their data

The guys from the Malware Hunter Team have discovered the rensenware ransomware, a different type of malware, one that requires the victims to play a game and get a top score in order to get their files back.

It encrypts the documents, music files, pictures and personal user files but it does not ask the users to pay a bitcoin ransomware. Instead, the virus forces them to play a difficult game. The users have to reach the 0.2 billion score in LUNATIC level of TH12 – Undefined Fantastic Object and this may be a difficult mission for those who do not have gaming capabilities.

After the hacker (Tvple Eraser) created the rensenware ransomware he has also released an apology on Twitter, because he felt bad about it. The hacker has created an decryption tool and removed the rensenWare code from Github, in order to help the victims recover their data without having to win the game.

The hacker’s decrypting tool tricks the game’s memory directly, getting around the malware’s encryption without playing the game.

As a replacement for the initial ransomware, the hacker has uploaded the code without the encrypting part, as a joke.

For more information, see this article from Techspot.com. If you want to be in touch with our other ransomware and related articles, follow the ransomware tag.

Categories
Security solutions and antivirus software

The launch of iOS 10.3 might have been hurried due to a fake ransomware

The new iOS update to version 10.3 that was launched on the 28th of March might have been hurried after some user have reported that their devices are blocked due to a ransomware.

A virus that acted just like the FBI ransomware, to be more precise a pop-up that accused the owners of the devices that they have accessed illegal porn or pirated music, that seemed to be hard to remove or get rid off. In fact the ransomware was a fake one, and by clearing the browser cache memory the users could gain back full access to their devices.

The ransomware was created using JavaScript, a code used frequently on many websites. According to security company Lookout, the attackers were requesting 100 pounds under a iTunes coupon that was suppose to be sent out via a SMS to a certain phone number in order to unlock the victims phone.

Researchers have written that: “in fact the malware was a fake one and it did not encrypt any data. The purpose was to frighten the victims in order to pay for the unlocking of the browser before they would realize it is no need to pay a ransomware to recover phone data or access to the browser.

The patch from iOS 10.3 did fix the problem, but prof. Alan Woodward, expert in cybernetic security at Surrey University has said that many iPhone users have avoided the update because it would have also bring some new features regarding the devices functionality.

I, for personal reasons, have not updated my iOS since version 10.0.1 and I also recommend waiting for a couple of days before doing any updates, because not all updates are good. Have you updated to the new iOS 10.3 due to the fake ransomware?

Categories
Hackers and hacks

The Russians have created an Android ransomware that does not do anything in the first four hours

Some researchers from Zscaler ThreatLabZ have discovered a new type of ransomware for Android inside OK (Odnoklassniki), a Russian entertainment social network application.

The clean application has between 50 and 100 million downloads from the Google Play Store, but the infected one is available via third party application stores.

The virus stays quiet for four hours, permitting the user to perform his regular activity on the phone, unlike other ransomware variants that encrypt the data right after the infection. After the four hour interval, the application asks for administrative rights, changes the unlock password, locks the screen and sets the lock-screen password expiration. If the user taps cancel, the administrative prompt reappears quickly and does not permit the user to take any other action on the phone.

The ransom is only 500 rubles, the equivalent of $9.

The researchers have managed to discover that the ransomware does not sent the user’s data to a server and is incapable of unlocking the user’s phone. So, if the victim pays the ransom, the virus will stop operating, but the user will not be able to access his data anymore.

Due to the fact that the ransomware malware does not take any action in the four hours, the antivirus software cannot detect it, so it can be easily injected in the Google Play Store Apps.

A piece of advice: Do not install apps from unknown sources and disable the unknown sources installation feature from the phone’s settings.

If however you get infected with this, you need to boot into Safe Mode, remove the device admin privilege of the ransomware app, remove the app itself and reboot your device back in regular mode.

For more information, see this VirusGuides article.