Results for cryptolocker

Threat Research

Insights on TorrentLocker

Summary During the last weeks there have been several cases of international brand names being used by malware authors to propagate malware through phishing emails. These emails contain misleading links that download malicious Zip files, which, in turn, contain a JavaScript file that downloads the TorrentLocker ransomware. The malicious files have been detected as JS/Agent.2867!tr or JS/Nemucod.AFA!tr.dldr or JS/Nemucod.AFE!tr.dldr by the Fortinet Antivirus service. Since most of the available reports about this threat cover the encryption...

By Lilia Elena Gonzalez MedinaJuly 25, 2016

Industry Trends

DMA Locker 4.0: The Next Threat to Healthcare?

Lately, healthcare has been making headlines due to an onslaught of ransomware attacks from viruses like TeslaCrypt and CryptoWall. As a result of many lucrative successes in extorting ransom payments, the industry has been rightly named the number one target of cyber criminals by several research groups. And it doesn’t seem to be slowing down. Cyber criminals are looking to profit off of the traditionally soft target healthcare has presented due to its general lack of highly secure network and data center architectures. According to a malwarebytes...

By Ryan Edwards May 27, 2016

Threat Research

Nemucod Adds Ransomware Routine

It came to our attention that a new, rather peculiar version of Nemucod has been recently landing on users. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to PCs. Most recently, Nemucod has been known to download TeslaCrypt ransomware variants. However, the last few weeks saw a shift in Nemucod variants--it now has a code to drop ransomware from its body. The sample arrives via a typical Nemucod spam with encrypted JavaScript attachment.  Upon decrypting the JavaScript, we...

By Roland Dela PazMarch 16, 2016

Threat Research

A Closer Look at Locky Ransomware

A new ransomware named “Locky” is currently circulating in the wild and making the headlines. There are some good reports regarding Locky ransomware already available over the Internet. This blog intends to focus on some technical areas that (we believe) have not been covered yet, namely, its domain generation algorithm, command and control communication, and file encryption. For reference, the following is a screenshot of Locky’s Decrypter page (cropped to save space): Based on Harry71’s Onion Spider, the Locky...

Threat Research

FAKBEN Team Ransomware Uses Open Source “Hidden Tear” Code

Earlier this month, a new ransomware-as-a-service (RaaS) from a group called “FAKBEN Team” emerged. In this post, we will talk about our findings on the ransomare binary that they sell on their website. Our analysis indicates that the encryption routine used by FAKBEN Team was grabbed from the open source Hidden Tear ransomware. The representative sample that we used has the MD5 c952a88edc0766adf819b30cd2683ac7. The malware was developed and compiled using Microsoft Visual C# .NET. Persistence The malware creates an autorun...

By Roland Dela PazNovember 24, 2015

Threat Research

Keeping an Eye on Encryptor RaaS

Previously, we talked about a new ransomware-as-a-service called Encryptor RaaS. Encryptor RaaS is a GNU Compiler for Java (GCJ) compiled ransomware that is available to anyone who wishes to be a spreading affiliate. The author then takes 20% commission for each ransom paid by an infected victim. While monitoring, we noticed some updates on its website. In particular, the new version of the ransomware dated November 13, 2015, caught our attention so we decided to take a look. Currently, the website looks as follows: Figure 1. Updated...

By Roland Dela PazNovember 17, 2015

Threat Research

Keeping Pace with Cryptowall

Overview Cryptowall is a popular ransomware which targets computers running Microsoft Windows, encrypts files, and extorts money to decrypt user files. With its predecessor’s first appearance way back September 2013, cryptowall has become a financial success to its authors. Following this success, the authors have now released what is believed to be the 4th generation of cryptowall with new alterations techniques. Ransom Note The most obvious change from the previous cryptowall is the dropped files and message instructions after the...

By Rommel Abraham D. JovenNovember 13, 2015