Tag Archives: Ransomware

Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Targets Removable And Attached Drives

There’s a new and unusual ransomware strain making the rounds that you should be aware of.

Called ‘AnteFrigus,’ it is primarily distributed via ‘malvertising’ that redirects users to the RIG exploit kit.

One of the most unusual features of this strain is the fact that it specifically doesn’t target the C: drive of the target computer.

Instead, it focuses exclusively on drives that are commonly associated with mapped network drives and removable hardware.

BleepingComputer was one of several organizations to discover the ransomware. They all contacted independent security researcher Vitali Kremez to reverse engineer the malware to get a peek under the hood at how it works.

Kremez discovered that this strain only targets the D:, E:, F:, G:, H:, and I: drives.  It does not even attempt to encrypt any files located on the C: drive, nor does it try to do anything whatsoever with unmapped network shares.

In addition to that, the AntiFrigus ransomware is designed to skip any file with the following extensions:

  • Adv
  • Ani
  • Big
  • Bat
  • Bin
  • Cab
  • Cmd
  • Com
  • Cpl
  • Cur
  • Deskthemepack
  • Diagcap
  • Diagcfg
  • Diagpkg
  • Dll
  • Drv
  • Exe
  • Hlp
  • Icl
  • Icns
  • Ico
  • Ics
  • Idx
  • Ldf
  • Lnk
  • Mod
  • Mpa
  • Msc
  • Msp
  • Msstyles
  • Msu
  • Nls
  • Nomedia
  • Ocx
  • Prf
  • Rom
  • Rtp
  • Scr
  • Shs
  • Spl
  • Sys
  • Theme
  • Themepack
  • Wpx
  • Lock
  • Key
  • Hta
  • Msi
  • Pck

The facts that the ransomware studiously ignores the C: drive and the list of extensions the malware won’t encrypt are curious. This all had many people scratching their heads trying to discern why the developers would build their code in this way.

Upon review, Kremez concluded that the developers are not terribly sophisticated and are, at this point, still in the experimental stages.  The code is still very much a work in progress.  Work in progress or not, it can be dangerous. Be sure your staff is aware of this latest threat.

0
Posted on Author Atlantic Computer Services Categories Blog

Pitney Bowes Company Recently Hit By Ransomware

If you’re a business owner, you probably utilize at least a few of the services Pitney Bowes offers.  They maintain a global shipping, mailing, e-commerce and financial services empire that touches just about every country on the planet.

The company has more than 1.5 million customers and service 90 percent of the companies on the Fortune 500 list.

Unfortunately, they’ve also recently fallen victim to a ransomware attack that has left the company with several of their key systems encrypted. That has resulted in a partial outage that impacted customer access to some of their services.

Other than announcing the reason behind the partial outage, the company has stressed that at this time, they see no evidence that any customer or employee data was improperly accessed.  They also assured their customers that their Enterprise Outage Response Team was on the case and that they are currently working with third-party security experts to help resolve the issue.

At this time, if you have an account with Pitney Bowes and utilize their mailing system, you won’t be able to access your account data, refill postage or upload your transactions to the company’s server. The company notes that it is making progress on restoring the ability to add postage to your machines and should have that portion of their service restored in the very near future.

They also stress that if you currently have postage credits in the machine you’re using, you’ll be able to continue printing postage just fine.  It’s simply that refilling it when you run out remains an issue.

In addition to that, SendPro Online for both the UK and Canada is also currently down, and you can’t currently access your account on the company’s web store.  Unfortunately, the company has not provided an ETA to its customers on when full functionality might be restored. At this time, we have no information about the type of ransomware used in the attack, nor the size of the ransom demanded.

0
Posted on Author Atlantic Computer Services Categories Blog

Windows Version of iTunes Needs Updated To Avoid Ransomware        

Are you a Windows iTunes user?

If so, you should upgrade iTunes immediately or run the risk of being infected with the BitPaymer ransomware strain.

The group controlling the software has been spotted using a zero-day exploit in iTunes for Windows, which allows them to bypass antivirus detection schemes entirely.

The good news is that Apple responded quickly to the flaw’s discovery and has already patched the zero-day out of existence in both iTunes for Windows and iCloud for Windows. The bug itself resided in the Bonjour updater component that ships with both products. The hackers discovered that by abusing the “unquoted service path” vulnerability, they could launch Bonjour then hijack the execution path, pointing it to the BitPaymer executable instead.

While the bug did not grant the hackers admin rights on the target machine, it allowed them to install the ransomware locally without detection, which is certainly bad enough on its own. Unfortunately, there’s a complication you should be aware of.  If you used iTunes or iCloud for Windows in the past and uninstalled the software, the Bonjour component almost certainly remained behind, rendering your system vulnerable to the attack even if you’re not currently using either application.

Your system administrator will need to manually search for and delete the Bonjour component.  If you are using either, then simply updating to the latest version will also update Bonjour, rendering your system protected.

It’s interesting that BitPaymer is being used in this way because typically, that particular strain of ransomware is used in “Big Game Hunting” attacks that target large organizations and seek to infect as many machines as possible, demanding a huge ransom.

This particular attack is designed to impact a single machine, so it could be a sign that BitPaymer’s owners are shifting gears, but it’s too soon to say that with any authority.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Called TFlower Hacks Into Company Networks

Over the last two years, ransomware attacks have become increasingly common against businesses of all shapes and sizes.

While the attack vector saw a dip in popularity last year, this year it has come roaring back to the fore with several new strains of ransomware being developed and enjoying widespread use by hackers around the world.

One of the most recent entrants into the ransomware family is a new strain called “TFlower”, which made its first appearance in August of this year (2019).  Since that time, it has begun seeing increasingly widespread use, so if this is the first time you’re hearing about it, know that it likely won’t be the last.

TFlower is introduced into company networks when hackers take advantage of exposed Remote Desktop services.  Once the hackers have a toehold inside a company’s network, they’ll use that machine to connect to and infect as many other machines on the network as possible. Like many similar forms of malware, TFlower attempts to distract infected users while it’s encrypting their files.  In this case, it will display a PowerShell Window that makes it appear that some harmless software is being deployed.

While it’s encrypting a victim’s files, it connects to its Command and Control Server to keep the software owners apprised of its activities. Then it attempts to clear the Shadow Volume Copies and attempt to disable the Windows 10 repair environment. This makes it difficult, if not impossible to recover files via conventional means.  Note that it also attempts to terminate the Outlook.exe process so its data files can be encrypted.

When the software has done as much damage as it can do, it will litter the infected computer with a file named “!_Notice_!.txt” which explains that the computer’s files have been encrypted and in order to get them back, you’ll need to contact the malware owners at the email address provided for additional details.

Be sure your IT staff is aware, and given how this one is spread, check the security of your Remote Desktop services.

0
Posted on Author Atlantic Computer Services Categories Blog

Report Shows 118 Percent Increase In Ransomware Attacks In 2019

Ransomware roared onto the global stage in 2017. Companies and government agencies around the world felt the impact with widespread campaigns like NotPetya and WannaCry.

By 2018, the number of ransomware attacks had begun to fall off while hackers found new tools to attack with, shifting toward cryptojacking, credential theft, and trojan malware.

Granted, ransomware attacks didn’t fade completely from the picture in 2018, but they were overshadowed by the emergence of new attack vectors.  Unfortunately, according to data collected by McAfee Labs, and published in their August 2019 Threat Report, Ransomware is back with a vengeance.

Christopher Beek, a lead scientist at McAfee had this to say about the report:

“After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach.”

The dramatic increase in ransomware attacks is being driven primarily by three families of ransomware:  Ryuk, GrandCrab, and Dharma.

Ryuk is a scary bit of code that has been used to lock down entire large corporations and government agencies.  It was originally credited to North Korea, but subsequent research points to the malware as being the work of a highly sophisticated cybercrime syndicate, rather than the product of a nation-state.

GrandCrab is a relatively new arrival on the ransomware scene, first emerging in 2018.  Often described as one of the most aggressive families of ransomware, the original authors of the code have leased it out to other hackers around the world in exchange for a cut of the profits.

Dharma is the oldest family of the big three, first emerging on the scene in 2016.  Originally, it was an offshoot of another, even older ransomware family known as Crysis. However, since branching off, it has become a potent threat in its own right, and the hackers who control the code regularly release new updates and continue to enhance its capabilities.

All that to say, it’s too soon to breathe a sigh of relief where ransomware is concerned.  It’s back in 2019, and it’s back with a vengeance.

 

0
1 13 14 15 16 17