Monthly Archives: August 2016

Ransomware Recovery and Prevention page

I’ve intended for a while to break out some of the scattered information in the ransomware resource page and sub-pages into its own Ransomware Recovery and Prevention page.

And finally got around to it.

Much of the same information (and more) remains in the Ransomware Resources page and/or sub-pages. (Sorry, but I’m happy to duplicate information where appropriate. If I had more time to spend on this page, there’d probably be less duplication, but I haven’t…)

However, the new(-ish) page is better organized and more immediately useful (I hope) for people who are interested in barebones recovery and prevention information.

David Harley

SC Magazine on paying ransomware crooks

In an article called Ransomware locks experts in debate over ethics of paying, Bradley Barth picks up on a point I made in my blog article for ESET – Ransomware: To pay or not to pay?. He quotes both my article for ESET and some subsequent commentary by my friend and colleague Stephen Cobb. I may come back to this topic, here or elsewhere.

David Harley
ESET Senior Research Fellow

SANS reports ransomware impersonating voice messages

28th August 2016

Posted at SANS 23rd August by Xavier Mertens for SANS Internet Storm Center: Voice Message Notifications Deliver Ransomware. Despite coming from ‘voicemail@*’ and the attachment having the filename extension ‘’, these are not sound files but, apparently, ransomware. A more recent VirusTotal report than that cited in the report indicates that many vendors are associating the campaign with Nemucod.

Nemucod is now broken out into its own resource page on this site.

David Harley

Quick ransomware links roundup

Lawrence Abrams for Bleeping Computer: The Globe Ransomware wants to Purge your Files

Jornt van der Wiel, for Kaspersky: Wildfire, the ransomware threat that takes Holland and Belgium hostage. Summary/commentary by Darren Pauli for The Register: Intel douses Wildfire ransomware as-a-service Euro menace – Group scored $79k a month with infect-o-tronic rent-a-bot

Lawrence Abrams for Bleeping Computer: New Alma Locker Ransomware being distributed via the RIG Exploit Kit

Links added to the ransomware families resource page.

David Harley

Ransomware Links/Articles Roundup

As I’m a little busy elsewhere right now, this is just a roundup of links:

Trend Micro: New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

Check Point: CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service. Download the report from here, if you don’t mind sharing your contact details.

David Bisson for Graham Cluley’s blog: Cerber ransomware operation exposed… and boy is it lucrative! Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world

Help Net Security: The inner workings of the Cerber ransomware campaign

David Bisson for Graham Cluley’s blog (again): Pokémon Go for Windows? Beware ransomware! Pokémaniacs at risk.

And David Bisson again: Shade malware attack examines your finances before demanding ransom – Remote control now. Encryption later.

David Harley

Hitler Ransomware

For once, an article about Hitler that doesn’t invoke Godwin’s law

The Register’s John Leyden describes how Hitler ‘ransomware’ offers to sell you back access to your files – but just deletes them: Sloppy code is more risible than Reich, though.

I don’t suppose this gang will finish its career in a bunker in Berlin, but I’d like to think that there is at least a prison in their future.

David Harley