WannaHydra

With the growing popularity of Android devices, cybercriminals have been pumping out an increasing amount of malware dedicated to targeting machines running the Android OS. The WannaLocker Ransomware is a ransomware threat that targets Android devices specifically. The authors of the WannaLocker Trojan have copied the interface of the infamous WannaCryptor Ransomware – the ransomware threat that made headlines all around the world in 2017. It appears that this is the only aspect that the cyber crooks responsible for the WannaLocker threat have borrowed which is fortunate for the victims, as the WannaCryptor Ransomware is an extremely threatening, high-end project. Ever since releasing the WannaLocker Trojan, its authors have not been idle. They have updated their threat and renamed it to WannaHydra. The name seems to be related to the...

Posted on July 4, 2019 in Malware

BianLian

The BianLian malware was first spotted in 2018. It became evident quickly that this threat is targeting Android devices. However, the authors of the BianLian malware have not been sitting idly – they have introduced an update to their threat. The update allows the BianLian malware to obfuscate the threat’s code much more effectively, which has made this threat much more difficult to dissect and enabled it to improve its ability to stay under the radar of anti-malware applications. In its previous variants, the BianLian served as a first-stage payload whose purpose was to infiltrate a device and then serve as a backdoor and introduce additional malware to it. With the new update, the BianLian is no longer only a backdoor but can complete other tasks too. Once the BianLian malware infiltrates a device, it will make sure to hide its icon...

Posted on July 4, 2019 in Malware

ChineseRarypt Ransomware

The ChineseRarypt Ransomware is a file-locking Trojan that has been spotted by malware researchers recently. This ransomware threat is not a variant of any of the popular ransomware threats. Initially, researchers believed that this ransomware threat is not a variant of any of the popular ransomware threats. However, now some sources claim that ChineseRarypt Ransomware belongs to the Djvu Ransomware family. So far, it is known that this ransomware affects only computers running Windows operating system. Vectors of Distribution Cybersecurity experts have been unable to confirm what infection vectors have been employed in spreading the ChineseRarypt Ransomware. However, some speculate that the cyber crooks responsible for the ChineseRarypt Ransomware are using spam email campaigns, alongside bogus software updates and likely corrupted...

Posted on July 4, 2019 in Ransomware

Isolated Ransomware

At the beginning of July 2019, cybersecurity experts detected a new data-encrypting Trojan. It goes by the name Isolated Ransomware and is a variant of the Aurora Ransomware. It is not yet known what are the propagation methods employed in the spreading of this file-locking Trojan. Some experts speculate that emails containing infected attachments, corrupted pirated software, and fraudulent application updates may be among the infection vectors involved in the propagation of the Isolated Ransomware. If the Isolated Ransomware succeeds in the compromising a system, it will start the attack by initializing a scan on the machine. This is done to locate the files, which the Isolated Ransomware was programmed to go after. The next step is the encryption process. The Isolated Ransomware will lock the files, which correspond to the file types...

Posted on July 4, 2019 in Ransomware

AndroMut

The TA505 is a hacking group that is known to have launched operations all around the globe - North America, South America, Asia and Africa. This infamous hacking group has launched a new Trojan downloader called AndroMut recently. When cybersecurity experts inspected the AndroMut it became evident that this new threat has a lot in common with a widely popular threat, which has been in action since 2011 – the Andromeda malware family. The AndroMut, however, is a much more simple piece of malware. The purpose of the AndroMut is to bypass any security checks present on the infiltrated machine, gain persistence, and serve as a backdoor for a payload, which would be sent from the C&C (Command & Control) server of the perpetrators. The AndroMut has already been linked to two campaigns. The first one targeted companies in South Korea. The...

Posted on July 3, 2019 in Malware

Godlua

In July 2019, malware researchers came across a new backdoor Trojan that goes by the name Godlua. They couldn’t determine the exact propagation method used in spreading this threat. There are indicators that machines running the Linux OS may be targeted via a new Confluence exploit. At first, the Godlua backdoor Trojan was only meant to infiltrate Linux PCs but then the authors of the updated their threat to be compatible with other operating systems (Windows computers and Internet-of-Things devices) to ensure that their creation is capable of infecting a maximum amount of machines. At first, cybersecurity experts regarded the Godlua Trojan as a cryptocurrency miner. Later, it turned out that this is not the case and that the Godlua backdoor was employed in DDoS (Distributed-Denial-of-Service) attacks targeting a Chinese Web page. This...

Posted on July 3, 2019 in Backdoors

Besub Ransomware

Having your files locked up by the Besub Ransomware is guaranteed to be an unhappy experience – this file-locker needs just a few minutes to encrypt the contents of numerous files, and then start to extort you for money. This project is a part of the STOP Ransomware family and, sadly, this means that it is unlikely that its victims will be able to rely on a free decryptor to assist them with the recovery of their files. While some of the STOP Ransomware families have been inactive fairly, the same cannot be said about the Besub Ransomware – there have been dozens of complaints about it just a day after it was first seen in the wild. The threat does not appear to target a specific region, and it would appear that its operators are using phishing emails, fake downloads, and pirated software to bring the threatening program to their...

Posted on July 3, 2019 in Ransomware

Cs16 Ransomware

At the beginning of July 2019, malware experts spotted a new data-locking Trojan. It is called the Cs16 Ransomware, and when researchers looked deeper into it, they discovered that it belongs to the Cryakl Ransomware family. It has not yet been confirmed what propagation methods are used in spreading the Cs16 Ransomware, but some speculate that spam emails containing a macro-laced document, infected pirated applications, and bogus software updates may be among the infection vectors employed in the propagation of this file-encrypting Trojan. Once the Cs16 Ransomware compromises a system successfully, it will scan it to locate the files, which will be targeted for locking. Then, the Cs16 Ransomware triggers the encryption process. When this Trojan locks a file, it changes its extension by adding 'email-3nity@tuta.io.ver-CS 1.6.-..cs16,'...

Posted on July 3, 2019 in Ransomware

Ratsnif

Ratsnif is a group of Trojans developed since 2016 to give attackers access to devices and networks. The latest Ratsnif Trojans use a number of network attack techniques such as ARP poisoning, DNS poisoning, packet sniffing, HTTP inject and MAC address spoofing. Ratsnif Trojans are called Remote Access Tools (RATs) and collect information about a system or network that can be used to compromise and attack it. Some Details about Ratsnif Trojans Ratsnif "RATs" are developed and used by a group called "OceanLotus APT Group," "APT32, "CobaltKitty" or "SeaLotus." Four samples of the Ratsnif Trojan have been discovered so far. Three of these were developed and deployed in 2016 and one in 2018. All the Trojans developed in 2016 function similarly, and there are no major differences in how they attack devices and networks. The last of the 2016...

Posted on July 2, 2019 in Trojans

Alilibat Ransomware

The Alilibat Ransomware is ransomware based on the Scarab Ransomware family, which was detected a while back. The Scarab Ransomware has been around for a few years now but decrypting files locked by it or a variant like the Alilibat Ransomware is still nearly impossible. The Alilibat Ransomware works in much the same way as most other ransomware and demands a ransom in return for decrypting your data. The Alilibat Ransomware is recognizable by the ".alilibat" extension it appends to the files that are encrypted by it. The threat also adds a unique identifier as an extension before ."alilibat." This would mean that a file called "xyz.abc" would become "xyz.abc.12323452.alilibat. The ransom note is usually found on the desktop and called "DECRYPT.text How Victims Should Deal with the Alilbat Ransomware The Alilibat Ransomware attacks...

Posted on July 2, 2019 in Ransomware

Cago Ransomware

The CAGO Ransomware is a variant of the "Hermes Ransomware." Like most ransomware, the CAGO Ransomware encrypts your data and appends files with an extension. In this case, the extension is usually ".CAGO Ransomware." The ransom file created is usually labeled "DECRYPT_INFO.txt" and added into every affected folder. What the CAGO Ransomware Ransomware will Do with Your Files? The encryption method the CAGO Ransomware uses is unknown currently. It may use symmetric or asymmetric cryptography. Nowadays, there is no known method of decrypting files attacked this way, without knowing the key and method that was used to encrypt them. The CAGO Ransomware is similar to the DCOM and the Litar family of ransomware. The malware is spread via spam email containing a link to a compromised download or sometimes even an attached file that is...

Posted on July 2, 2019 in Ransomware

Chekyshka Ransomware

The Chekyshka Ransomware uses the AES cipher and demands money in return for decrypting files it encrypts during an attack. The Chekyshka Ransomware usually adds a ."chekyshka" extension to each file it encrypts. The associated ransom file is usually named "!!!CHEKYSHKA_DECRYPT_README.TXT" and is created in every folder containing infected files. The ransom amount is usually $1200 to be paid via Bitcoin. How the the Chekyshka Ransomware Spreads The Chekyshka Ransomware is known to use AES cipher methods to encrypt the user files. It was first reported in June of 2019 and works like most ransomware. The Chekyshka Ransomware is spread using various methods including spam email, torrents, and infected direct downloads from spoof sites. It also can be spread using embedded macros in documents. Sample Ransom Note 'All your files have been...

Posted on July 2, 2019 in Ransomware

Skimer

Skimer is a piece of malware that targets ATMs and has been an active actor for many years now. The first time malware experts spotted the Skimer threat was back in 2009. While the Skimer malware has not developed through the years, ATM malware has improved greatly, in general. Most cybercriminals nowadays prefer emptying ATMs instead of skimming credit cards. Cybercrooks that target ATMs usually have to split in two groups – one who will have to insert a USB drive into the machine to deploy the malware physically, and one which will be behind a computer screen and operate the threat. Malware, which targets ATM, usually gains access to their system and manipulates the settings to get the machine to start pumping out cash. The Skimer malware manages to bypass the safety checks by authenticating itself using a rather innovative...

Posted on July 1, 2019 in Malware

OSX/CrescentCore

The OSX/CrescentCore malware is a Trojan that hides inside an Adobe Flash Installer and targets Mac OSX users. The malware attempts to avoid detection by not running if it is inside a VM or if there is a third-party anti-virus software installed on the machine. A Few Details about the OSX/CrescentCore Malware There are multiple versions of this malware known by researchers currently. All versions present themselves as a .dmg image file containing a "Player" application. If a user opens the Player application, the malware then checks if it is running inside a virtual machine or whether any third-party anti-virus applications are installed. If it detects one of them, the malware exits without any actions. If there is no VM or anti-virus detected, the malware then installs threatening software. The versions being studied currently install...

Posted on July 1, 2019 in Malware

DCOM Ransomware

The DCOM Ransomware belongs to a group of malware derived from the Globe Imposter Ransomware and is similar to other ransomware like the Popotic Ransomware and the Lotep Ransomware. Most GlobeImposter Ransomware variants work the same way: encrypt all data, append an extension, and demand payment to decrypt. What is the Objective of the DCOM Ransomware The DCOMRansomware is a ransomware that encrypts your data and adds a ".dcom" extension to every file. It also adds a text file called "how_to_back_files" on the desktop. The Globe Imposter variants' ransom note is almost always the same: Inform the victims that their files are encrypted and require a decrypt key or software to be decrypted. Provide an email address and an alternate email address in case the first one is non-responsive. Offer to decrypt one file for free. A public key...

Posted on July 1, 2019 in Ransomware
1 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 1,356