Tag Archives: Ransomware

Posted on Author Atlantic Computer Services Categories Blog

Paradise Ransomware Using Internet Query Files To Deliver Payload

The Paradise ransomware is like a bad penny; it just keeps turning up.

The strain first appeared back in 2017, when it was spread far and wide via phishing emails. Then it seemed to fall out of favor for a while, and now, it’s back again. Even worse, it’s back with a new trick up its virtual sleeves. In its latest incarnation, it’s still being spread via phishing emails.

Now, its controllers are leveraging interest in IQY (Query) files, which are text files read by Microsoft Excel to grab data from the internet. Given that fact, IQY is a completely legitimate file extension, so most organizations don’t even think to block it.

The researchers at Lastline who discovered the latest campaign had this to say about it:

We’re seeing attacks using IQY files because many commodity security products and automated systems do not, or cannot, parse these file types. Attackers realize they have a very good chance of making it past rudimentary defenses.”

The approach seems to be working as Paradise’s phishing emails are being opened by unsuspecting users at an alarming rate. Of interest, the researchers found evidence in the code that this strain is still a work in progress. Consider this latest campaign to be a beta test for the redesigned code.

Lastline’s researchers had something to say about that as well:

Malware authors will often deploy malware that isn’t quite ready for prime time yet – they want to see how successful early versions of a new campaign are and how detectable their malware is against security products.”

As is the case with most ransomware, this one is designed to sniff out high value files, exfiltrate them to a command and control center, then encrypt everything and demand a ransom. As such, it has to be regarded as a genuine threat and is certainly one to keep a watchful eye out for.

0
Posted on Author Atlantic Computer Services Categories Blog

Emails Pretending To Be Secret Admirers Could Be Ransomware

Nemty Ransomware isn’t an especially well-known threat, but it’s dangerous and should not be discounted. Recently, researchers have discovered an ongoing spam-email driven campaign that’s attempting to spread the ransomware far and wide.

An unknown group of hackers are sending out what appear to be love letters from secret admirers in a broad pattern.

They are probably simply using email addresses purchased in bulk on the Dark Web. The emails use a variety of subject lines like “Letter for You,” “Will be our secret,” “Can’t Forget you,” and “I love you.” They have no body text and feature nothing more than a wink emoji. That is clearly a bid to entice recipients into responding by clicking on the enclosed attachment to see what all the fuss is about and get to the bottom of the mystery.

Unfortunately, those that do so doom themselves. The attached file is a poisoned Java Script that installs the ransomware, which promptly locks the user’s files and then displays a ransom payment demand.

The fact that Nemty isn’t widely known works in its favor, as it gives the malware a very low VirusTotal detection rate. That will undoubtedly lead to a higher than usual percentage of infections until an increasing number of antivirus companies add the malware to their definitions. It’s a short-term advantage, but one the hackers will surely make full use of until the AV companies catch up.

Nemty’s developers have also threatened to create a blog, which will be used to release sensitive information of those who refuse to pay the ransom.

Finally, be aware that Nemty is known for deleting shadow copies as it encrypts files. So if you’re not in the habit of making regular backups, if you get hit with this strain, you will have no way of recovering your data. Make sure your employees are aware!

0
Posted on Author Atlantic Computer Services Categories Blog

CoronaVirus Scare Is Being Used By Scammers To Trick People

There is no low that hackers and scammers won’t stoop to.

The US Federal Trade Commission (FTC) has issued a warning about a worldwide scam in progress relating to fears surrounding the CoronaVirus. The FTC’s announcement speaks for itself.

Their announcement reads, in part:

Scammers are taking advantage of fears surrounding the Coronavirus. They’re setting up websites to sell bogus products, and using fake emails, texts and social media posts as a ruse to take your money and get your personal information.

The emails and posts may be promoting awareness and prevention tips, and fake information about cases in your neighborhood. They also may be asking you to donate to victims, offering advice on unproven treatments, or contain malicious email attachments.”

Even worse, it appears that there are multiple campaigns like this, running in tandem.

Francis Gaffney is the Director of Threat Intelligence for Minecast, which is one of several companies tracking the issue.

Francis added this:

The sole intention of these threat actors is to play on the public’s genuine fear to increase the likelihood of users clicking on an attachment or link delivered in a malicious communication to cause infection, or for monetary gain.”

In short, this is about as despicable as it gets. Then again, hackers and scammers have been known to send emails targeting children, so it shouldn’t come as a great surprise.

Even so, the standard precautions apply here. Unless you know and trust the sender of a communication, even if it’s about something scary and important like the CoronaVirus, don’t click on links or open attachments. You never know where it might take you or what type of malware might end up on your system. Better safe than sorry, and you can always get CoronaVirus information from official sources.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Leaks Confidential Data To Public

There’s a disturbing emerging trend in the world of hackers who make use of ransomware to extort payment from companies. Increasingly, if a company won’t pay, their data that was stolen and encrypted is being published for all to see.

KrebsOnSecurity recently identified a website associated with the creators of the Maze ransomware strain that did exactly that.

The introductory message on the landing page reads as follows:

Represented here companies don’t wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!”

Many industry insiders and security experts have expressed shock and dismay at the emerging trend. They probably shouldn’t. After all, hackers who use ransomware almost always issue a warning that if their demands aren’t met, the data in question will be released to the public. It’s such a common threat that it’s almost become boilerplate.

The difference is that until recently, hackers haven’t actually followed through on the threat. That now appears to be changing, and it underscores an important point.

Hackers often snoop through and exfiltrate the data they encrypt prior to the encryption itself. Doing so essentially sees them get paid twice. If the company pays the ransom, they get the money. Meanwhile, they can auction off the juiciest bits of data to the highest bidder. Most commonly, this means selling personal information and credit card data, but it certainly can mean proprietary company data. In fact, it now appears that it does mean company data.

What this means though, is that ransomware attacks need to be considered data breaches and treated accordingly. If that’s not your company’s current stance where such attacks are concerned, it should be.

0
Posted on Author Atlantic Computer Services Categories Blog

New Malware Sends Offensive Texts From Your Phone

Malware tends to be at its most effective when it exists in secret. Under the radar. This is what allows malicious code to burrow deep into an infected system and capture a wide range of data. It’s what allows cryptojacking software to quietly siphon off computer power to mine for various forms of cryptocurrency. That makes money for the malicious code’s owners. Secrecy is typically seen as a very big deal.

Then there’s the malware called Faketoken, which has recently been upgraded with enhanced capabilities that throws all that out the window. The latest version of the malware adds insult to injury by sending out offensive, expensive, or overseas text messages after milking as much money out of an infected system as it can. It’s such a departure from hacking norms that it caught researchers at Kaspersky Lab by surprise when they saw it.

Researchers have been tracking Faketoken’s ongoing development since it first made the “Top 20 Most Dangerous Banking Trojans” list in 2014.

Since that time, the code’s owners have added a raft of capabilities to the malware, including:

  • The ability to steal funds directly, rather than relying on other Trojans bundled with it to do the heavy lifting
  • Using phishing login screens and overlaid windows designed to dupe mobile users into entering their account credentials, handing them straight to the hackers
  • The ability to act as ransomware, encrypting files and demanding payment

Sending out offensive texts is an oddly amusing addition to malicious code like this. However, there may be a method to the apparent madness of the people behind the code. It is, after all, a fantastic way to advertise the code’s effectiveness.

Ultimately, the only people who know the true purpose behind this new functionality are the hackers themselves, but we may well be looking at the leading edge of a new trend in malware. Stay tuned.

0
1 11 12 13 14 15 17