Category Archives: Uncategorized

17th March 2018 resources and article updates

Specific Ransomware Families and Types

Cryptocurrency/Crypto-mining News and Resources

Mac Virus (now linked from AVIEN portal): Android antics and MacOS malware

David Harley

Black Ruby

[February 9th 2018]

Bleeping Computer: Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure

“A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can.”

Not currently decryptable.

David Harley


 for ESET: FriedEx: BitPaymer ransomware the work of Dridex authors

“Recent ESET research shows that the authors of the infamous Dridex banking trojan are also behind another high-profile malware family – a sophisticated ransomware detected by ESET products as Win32/Filecoder.FriedEx and Win64/ Filecoder.FriedEx, and also known as BitPaymer.”

David Harley

‘AdultSwine’ – Android malware with a dirty mind

The Register: ‘Mummy, what’s felching?’ Tot gets smut served by Android app – Google’s Play Store fails again

Actually, I didn’t know about felching, either, and I wish I hadn’t looked it up.

Based on Checkpoint’s blog article Malware Displaying Porn Ads Discovered in Game Apps on Google Play. Checkpoint says that this is a triple-threat attack: it may display ads that are often (very) pornographic, engineer users into installing fake security apps, and/or induce them to register with premium services.

David Harley

The Mechanisms of Support Scamming

Dial One for Scam: A Large-Scale Analysis of Technical Support Scams is an academic paper, but interesting*. While it doesn’t tell seasoned scam watchers much we weren’t already aware of, it does take a systematic look at how the scheme is implemented, and hopefully that will be useful to someone in a better position to pursue more fundamental approaches than the occasional analyses from the anti-malware industry that this paper dismisses as ‘ad hoc’.

Sid Kirchheimer’s article from April 2017 for AARP – From Pop-Up Warnings to $9 Million Payout: Inside the Tech Support Scam – includes an easily-digestible summary of some of the main points of the paper.

Hat tip to Mich Kabay for bringing the article to my attention, and to Fat Security for flagging the paper for me some time ago.

David Harley

*However, it’s irritating to see in section VII a paper of which I was co-author apparently credited to Malwarebytes. Reference [5] is to this paper for a Virus Bulletin conference – My PC has 32,539 Errors: how Telephone Support Scams really Work – and I appreciate having our work referenced.

Nevertheless, although Steve Burn, one of the authors, was indeed working for Malwarebytes, I was working for ESET, Martijn Grooten was working for Virus Bulletin, and Craig Johnston was an independent researcher. It is, of course, perfectly true that Malwarebytes researchers have done much useful research in this are.

LG TV ransomware revisited

In case you were wondering what happened as regards the story I previously blogged here – Smart TV Hit by Android Ransomware – it appears that LG has decided after all to make the reset instructions for the TV public rather than requiring an LG engineer to perform the task for only twice the price of a new set… Note that this was an old model running Android, not a newer model running WebOS.

Catch-up story by David Bisson (following up on his earlier story for Metacompliance) for Graham Cluley’s blog: How to remove ransomware from your LG Smart TV – And the ransomware devs go home empty-handed!

The article quotes The Register’s article here, which details the instructions, but also links to a video on YouTube by Darren Cauthon – who originally flagged the problem – demonstrating the process.

[Also posted at Mac Virus]

David Harley


Decrypters info

An article by Charlie Osborne for ZDnet/Zero Day includes an alphabetical list of ransomware families for which decrypters are available, with links. It’s not, of course, a complete list (either of remediable ransomware or of reputable sources of decrypters) but the sources it does list are indeed reputable. As we’re seeing an increasing number of less reputable sources misusing SEO, blog comments and so on, that’s not a small consideration. Added to the Specific Ransomware Families and Types and Ransomware Recovery and Prevention pages.

Remove ransomware infections from your PC using these free tools – A how-to on finding out what ransomware is squatting in your PC — and how to get rid of it.

Ransomware listed includes: Al-Namrood, Apocalypse, ApocalypseVM, Autolocky, BadBlock, Bart, Bitcryptor, Cerber v.1, Chimera, CoinVault, CrypBoss, CryptoDefense, CryptInfinite, CryptXXX v.1 & 2, CryptXXX v1, 2, 3, 4, 5, DMALocker, DMALocker2, Fabiansomware, FenixLocker, Gomasom, Globe, Harasom, HydraCrypt, Jigsaw, KeyBTC, Lechiffree, Marsjoke | Polyglot, Nemucod, Nemucod, MirCop, Operation Global III, TeslaCrypt, PClock, Petya, Philadelphia, PowerWare, Rakhni & similar, Rannoh, Shade v1 & 2, SNSLocker, Stampado, TeslaCrypt v1, 2, 3, 4, UmbreCrypt, Vandev, Wildfire, Xorist, 777

Ransomware updates (1)

I can’t say that the ransomware landscape hasn’t been busy for the past week or two, but so have I, on entirely different issues. I have been adding links etc. to resources pages, and they’re not all referenced here, but here’s an update on some stuff I’ve added today.

(1) Cylance’s analysis of AlphaLocker. (HT to Artem Baranov for drawing my attention to it.) Useful stuff, despite the customary AV-knocking.

(2) Help Net Security posted a useful update referring to commentary from Kaspersky – New ransomware modifications increase 14%. Points made in the article include these:

  • The (sub)title refers to 2,896 modifications made to ransomware in the first quarter of 2016, an increase of 14%, and a 30% increase in attempted ransomware attacks.
  • According to Kaspersky, the ‘top three’ offenders are ‘Teslacrypt (58.4%), CTB Locker (23.5%), and Cryptowall (3.4%).’ Locky and Petya also get a namecheck.
  • Kaspersky also reports that mobile ransomware has increased ‘from 1,984 in Q4, 2015 to 2,895 in Q1,2016.’

(3) Graham Cluley, for ESET, quotes the FBI: No, you shouldn’t pay ransomware extortionists. Encouragingly, the agency seems to have modified its previous stance in its more recent advisory. The agency also offers a series of tips on reducing the risk of succumbing to a ransomware attack. Basic advice, but it will benefit individuals as well as corporate users, and reduce the risk from other kinds of attack too. I was mildly amused, though, to read in the FBI tips:

– Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

It’s a bit tricky to back up data without connecting to the system used for primary storage. I think what the FBI probably meant was that you shouldn’t have your secure backups routinely or permanently accessible from that system, since that entails the strong risk that the backups will also be encrypted.

The tips include a link to an FBI brochure that unequivocally discourages victims from paying the ransom, as well as expanding on its advice. And it is clearer on the risk to backups:

 Examples might be securing backups in the cloud or physically storing offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, this may be the best way to recover your critical data.

David Harley

Ransomware and Encryption

A few times I’ve seen it suggested that encryption of valuable data before ransomware strikes will somehow protect it against ransomware. Today I came across the same assertion again on Spiceworks, apparently suggested to a Spiceworks subscriber by a lecturer. Not a lecturer in IT security, I hope…

I guess whether there’s any truth in the assertion depends on what you understand by encryption.

  • If files can be modified they can be encrypted: ransomware doesn’t check to see if a file is encrypted and throw its hands up in despair if it is, it simply adds another layer of encryption.
  • If the media on which the files reside can’t be accessed without a password then presumably the files themselves can’t be modified while the media are inaccessible.
  • However, if the media are accessible and write-enabled because the files are in use, the chances are that ransomware will be able to encrypt the files, irrespective of whether they are already somehow encrypted by the legitimate owner or user of the aforementioned files.

Much the same considerations apply to  backups, of course. If the backup media are accessible while the ransomware delivers its unpleasant payload, there’s a ‘good’ chance that the backed up files will also be encrypted.

[Updated later:

This article – Mac OS X ransomware: How KeRanger is a shadow of malware to come – The design of KeRanger demonstrates how attackers plan to make it even harder for victims of ransomware not to pay up – includes an interesting if confusing/confused comment from Timothy Wallach of the FBI:

“The best prevention for ransomware is to have thorough backups that are off the network, as well as encrypting your own data. That way if the bad guys encrypt it with their ransomware you still have it…”

It would be interesting to know if that’s exactly what Wallach said, since I’d rather like to know what he meant by ‘encrypting your own data’.]

David Harley

Ransomware: Understanding Bitcoin

It probably hasn’t escaped your notice that ransomware gangs are fond of Bitcoin, and you may also be aware that some victims who decide to pay up are finding the Bitcoin technology somewhat daunting, to the extent that PadCrypt may be intended to offer advice on paying with Bitcoin by way of a live chat facility (offline at the time of writing). At any rate, Bleeping Computer’s Lawrence Abrams comments:

“A feature like this could potentially increase the amount of payments as the victim can receive “support” and be guided on the confusing process of making a payment.

I’m not familiar enough with Bitcoin at the moment to help much as far as that’s concerned, but I have noticed a number of articles recently that relate to it:

  • Bitcoin and Cryptocurrency Technologies assumes that ‘…you have a basic understanding of computer science — how computers work, data structures and algorithms, and some programming experience. If you’re an undergraduate or graduate student of computer science, a software developer, an entrepreneur, or a technology hobbyist, this textbook is for you.’ However, it is written using a fairly conversational tone, so it’s certainly worth a look if you’re reasonably IT-literate.
  • This primer from Princeton is about 296 pages shorter and more consumer friendly. And here’s Bitcoin’s own FAQ.
  • Richard Chirgwin points out that Bitcoiners are just like everybody else: They use rubbish passwords, which may not reassure you.
  • Imperva has published an interesting paper on ‘The secret of Cryptowall’s success‘ based Bitcoin wallet analysis.

William Hugh Murray comments in a recent SANS newsletter:

Cyber currency is too slow ever to play a major role as a medium of exchange.  It is too volatile to serve as a store of value.  However, anonymity will serve to encourage extortion.

That section of the Newsbites newsletter has a number of interesting links to commentary on the Locky ransomware, by the way.

David Harley