Tag Archives: ESET

*Bummer for Dharma: Decrypter On The Road

It seems that it’s now possible to decrypt Crysis-encrypted files that have the .dharma extension: Alleged Master Keys for the Dharma Ransomware Released on BleepingComputer.com.

ESET has updated its Crysis decryptor to take advantage of the newly-released keys. Kaspersky has done the same with its Rakhni decryptor. I imagine others will do the same, if they haven’t already.

David Harley

The Dharma Bums is a novel by Jack Kerouac. And On The Road is another. Sorry, I couldn’t resist.

Patcher/Filezip/Filecoder – data recovery and naming

Because of time issues, I added the malware ESET calls OSX/Filecoder.E to the Specific Ransomware Families and Types page but didn’t give it an article of its own here. Since there is important news (to potential victims) from Malwarebytes and Sophos, I’m repairing that omission here.

Note that both Reed and Cluley sometimes refer to the malware as FileCoder. This is potentially misleading: while ESET, which first uncovered the thing, detects it as OSX/Filecoder.E, the term ‘Filecoder’ is used generically by the company to denote crypto-ransomware, so you/we need to use the full name ‘OSX/Filecoder.E’ to distinguish it from other, unrelated ransomware families.

David Harley

Tech Support Scams in Spain

My colleague Josep Albors came to a surprising conclusion in his Spanish language blog article Fake technical support is the most detected threat in Spain during January. I was so taken with the article that I generated a somewhat free translation with copious extra commentary for WeLiveSecurity: Support scams now reign in Spain.

David Harley

ESET: Key Insights & Key Card Ransomware

ESET’s WeLiveSecurity blog put together an article combining commentary from Stephen Cobb, Lysa Myers and myself: Ransomware: Key insights from infosec experts.

Yesterday, the site also commented on a story – Austrian hotel experiences ‘ransomware of things attack’ – that I also touched upon for ITSecurity UK: Key Card Ransomware: News versus FUD.

David Harley

Jackware: carjacking and ransomware

My friend and colleague Stephen Cobb, for ESET, recently posted an article on Jackware: When connected cars meet ransomware. He says:

I define jackware as malicious software that seeks to take control of a device, the primary purpose of which is not data processing or digital communications. A car would be such a device. A lot of cars today do perform a lot of data processing and communicating, but their primary purpose is to get you from A to B. So think of jackware as a specialized form of ransomware. With regular ransomware, such as Locky and CryptoLocker, the malicious code encrypts documents on your computer and demands a ransom to unlock them. The goal of jackware is to lock up a car or other device until you pay up.

Fortunately, and I stress this: jackware is, as far as I know, still theoretical. It is not yet “in the wild”

So speculation, but informed speculation, a hot topic, and well-written (of course).

David Harley

Pokémon beGOne – malware exploiting a popular craze

[Also published on the Mac Virus blog, which also addresses smartphone security issues]

Not quite ransomware (though there is a suggestion that it may happen), but but my ESET Lukas Stefanko describes a fake lockscreen app that takes advantage of the currently prevalent obsession with Pokémon GO to install malware. The app locks the screen, forcing the user to reboot. The reboot may only be possible by removing and replacing the battery, or by using the Android Device Manager. After reboot, the hidden app uses the device to engage in click fraud, generating revenue for the criminals behind it by clicking on advertisements.  He observes:

This is the first observation of lockscreen functionality being successfully used in a fake app that landed on Google Play. It is important to note that from there it just takes one small step to add a ransom message and create the first lockscreen ransomware on Google Play.

In fact, it would also require some other steps to enable the operators to collect ransom, but the point is well taken. It’s an obvious enough step that I’m sure has already occurred to some ransomware bottom-feeders. And it’s all to easy for a relatively simple scam to take advantage of a popular craze.

Clicking on porn advertisements isn’t the only payload Lukas mentions: the article is also decorated with screenshots of scareware pop-ups and fake notifications of prizes.

The ESET article is here: Pokémon GO hype: First lockscreen tries to catch the trend

Somewhat-related recent articles from ESET:

Other blogs are available. 🙂

David Harley

ESET Latin America on Ransomware

Here’s an article from my colleague ESET Camilo Gutiérrez Amaya, Head of Awareness & Research for Latin America: Ransomware: First files … now complete devices.

The article is actually adapted from the ransomware  section of ESET’s 2016 trends paper (In)security Everywhere, but worth reading if you haven’t read that somewhat hefty document.

David Harley

Crysis? What Crysis?

Ondrej Kubovič  for ESET: Beyond TeslaCrypt: Crysis family lays claim to parts of its territory. The ransomware that ESET calls Win32/Filecoder.Crysis encrypts files on fixed, removable and network drives.

It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time.

It encrypts everything except system files and its own bits and pieces, and charges between 400 and 900 euros. However, ESET users may be able to recover files encrypted by older versions with the help of ESET technical support.

David Harley

DNS Unlocker

James Rodewald has put up an interesting article for ESET on a DNS hijacker. It’s actually the way it conceals its activity that’s of most interest: however, this will also interest followers of this blog:

Typically a computer user affected by DNS Unlocker will see advertisements with a note at the bottom saying, “Ads by DNSUnlocker” … or something similar and multiple different variations of “support scam” pop-ups …

Crouching Tiger, Hidden DNS

David Harley